What can businesses expect from the European Commission's much tougher data breach rules?
It has been announced that the European Union is planning to make it mandatory for all businesses in the region to notify customers should the security of their personal information be breached.
As part of plans to update EU data protection legislation that was first introduced in 1995, European Union justice commissioner Viviane Reding said that she was also considering whether to include an "accountability principle" to protect the privacy of cloud computing users as well as a "right to be forgotten". Reding told the British Bankers’ Association’s Data Protection and Privacy Conference in London on Monday that the aim in streamlining existing data breach rules across different member states was to simplify the current regulatory environment and reduce the admin burden on companies.
"I intend to introduce a mandatory requirement to notify data security breaches – the same as I did for telecoms and internet access when I was Telecoms Commissioner, but this time for all sectors, including banking and financial services," she said.
Obliging organisations to notify consumers of serious data security breaches was "entirely proportionate" and would enhance their confidence in security and oversight mechanisms. It should also create a "stronger incentive" for businesses to undertake "serious risk assessments" and implement appropriate security measures to protect the confidentiality, integrity and availability of personal data, Reding added. But she also believed that it was important to regulate the protection of personal data in the cloud, even though it was widely claimed that such regulation was impossible.
"I agree with those businesses arguing that regulation would be feasible if we make them more accountable," Reding said. "This is why I am considering the inclusion of the ‘accountability principle’ in my reform so that data of citizens exported to third countries is always exported with their rights attached."
In addition, under current Directives, individuals had the right to have their personal data deleted from systems and websites particularly if processing was unlawful or to have data held in public directories withdrawn. But Reding would also like to see the introduction of a ‘right to be forgotten’. "I know that there is a balance to be struck with freedom of expression. It may also call for some flexibility in the way this balance is struck, but I cannot accept that individuals have no say over their data once it has been launched into cyberspace," she said.
Warm welcomes - and warnings
The news has been warmly welcomed by many experts. "The European Commission plans to make the reporting of security breaches mandatory for banks and businesses is exactly what the industry has been needing for a long time. Such change in the existing regulatory system will drive the natural market mechanisms towards improving security compliance and better protection of the customers’ interests," says Mike Smart, solutions director, EMEA at SafeNet.
"We’ve witnessed a large number of security breaches recently and this phenomenon clearly indicates the need of tighter regulations and control over the data security market. These breaches have eroded consumers’ trust and banks and businesses will need to take data protection much more seriously if they want to avoid future reputation damage."
Ken Cregan, financial services consultant at Capgemini Consulting UK, believes that the move to improve transparency in the banking sector could be beneficial to the reputation of the industry for minimum cost - as well as boosting consumer confidence.
"Banks are, through necessity, very strong in their data security and at notifying the relevant authorities about data breaches. When appropriate, this also includes notifying the customer. Structures and systems are in place to support both the monitoring and communication of these breaches, however they do not tend to provide 100% transparency to consumers. As such, the additional overhead required to support communications would potentially be minimum," he explains.
"On the one hand, this is a chance for banks to demonstrate increased transparency in areas that customers are concerned about. It’s best to be upfront and honest about security breaches as they have a habit of getting out in the public domain anyway. Letting people know what has happened and setting out the steps you are taking to solve the problem is the most sensible way forward. It would also help increase consumers confidence in new channels such as mobile."
In the Cloud
With a growing amount of data now being held in the Cloud, Nic Merriman, head of cloud at Avanade UK, is expecting there to be extra scrutiny on the service providers - but he warns that this focus is misplaced, and suggests firms will need to spend more time getting their Cloud governance models in place to ensure they are safe.
"Any company that handles sensitive personal data must have a full user-centric governance policy in place to regulate and control the movement of data from one part of the company to another - over the next two years, 70% of UK businesses are planning to move their finance applications to the Cloud, raising new questions over Cloud security," he suggests. "But as only 30% of organisations have any kind of Cloud governance plan in place, the attention will be less on the Cloud service providers and more on the integrity of the individual firms' security policies."
Ray Welsh, head of marketing at The Bunker, is also concerned that organisations may try to cut corners in order to comply with the measures. "EC regulation is in consumers’ best interest, as without it many organisations will continue to take shocking shortcuts with data security in order to reduce their costs," he says. "However, legislation can’t be rushed in as a ‘knee-jerk’ reaction to recent incidents. Protecting customer data means building systems with security in mind from the ground up, rather than adding a thin layer of additional protection to make insecure systems comply."
It has also been emphasised that the issue of computer security and data protection isn't just the responsibility of the organisations - and businesses may need to take a role in educating their customers about their own responsibility in the security drive.
"Hacking is on the increase. Recently Sony, Sega and various UK and US government agencies have been attacked by hackers, making security in every part of an organisation even more critically important. But the burden of responsibility isn't just with the organisations," says Merriman. "Users need to accept that they also have a role to play in keeping their data safe. For example, in the consumer finance sector we have seen some banks looking to educate and empower their customers to take more responsibility for their own data by supplying free internet security software."
But not everyone is convinced by the proposals coming out of the European Commission. John France, managing director of European Payments at eWise, believes that so far the reports raise more questions than answers. "This sounds like a great concept, although I suspect it will be difficult to implement," he suggests. "I’d be interested to know how organisations will notify their customer(s). Will they have contact details linked to accounts, and will they then notify the banks who will in turn advise the customer? Who will coordinate the process, of the processor is hacked and they have outsourced their business to an aggregator, for example?"
He adds: "I also wonder if hacked organisations may hold back announcing the hack for fear of potential fall-out, or blame. And, will the legislation be adopted at an EU or domestic level? What about non-EU compromises?"
Paul Davis, director Europe from FireEye, is also concerned about the news. "The proposals by the EU to legally require companies to notify customers of data breaches is unlikely to be welcome news for most CSOs who are already struggling to adhere to a raft of compliance obligations," he predicts. "Nor, is it likely to increase customer’s confidence that their information is safe as it will increase the visibility of security breaches and cause further panic about the safety of their online data. However what it will do is raise the stakes for any company who is not investing adequately in protecting confidential data."
Meanwhile, some also remain unconvinced that the measures will ever even be enacted.
"In the US, a proposed enhancement to an 2008 California data breach notification law failed to pass in 2010," highlights Mike Paquette, chief strategy officer at
Corero. "It would have required additional details to be provided in data breach notifications to affected customers. The rationale was that the current method of data breach notification was not lacking."
Nonetheless, Smart is one of those who remains confident that the benefits will rule out. He concludes: "We need to be aware that the proposed change in the EU regulations on reporting security incidents is not going to stop data from being stolen. But it will drive better practice in notifying customers about security breaches so they can take the appropriate reactive steps. Furthermore it will force banks and businesses to adopt the best data protection practices to ensure security compliance and avoid reputational damage."
Replies (0)
Please login or register to join the discussion.
There are currently no replies, be the first to post a reply.