What will new EU data breach rules mean for business?
What can businesses expect from the European Commission's much tougher data breach rules?
The news has been warmly welcomed by many experts. "The European Commission plans to make the reporting of security breaches mandatory for banks and businesses is exactly what the industry has been needing for a long time. Such change in the existing regulatory system will drive the natural market mechanisms towards improving security compliance and better protection of the customers’ interests," says Mike Smart, solutions director, EMEA at SafeNet.
"We’ve witnessed a large number of security breaches recently and this phenomenon clearly indicates the need of tighter regulations and control over the data security market. These breaches have eroded consumers’ trust and banks and businesses will need to take data protection much more seriously if they want to avoid future reputation damage."
Ken Cregan, financial services consultant at Capgemini Consulting UK, believes that the move to improve transparency in the banking sector could be beneficial to the reputation of the industry for minimum cost - as well as boosting consumer confidence.
With a growing amount of data now being held in the Cloud, Nic Merriman, head of cloud at Avanade UK, is expecting there to be extra scrutiny on the service providers - but he warns that this focus is misplaced, and suggests firms will need to spend more time getting their Cloud governance models in place to ensure they are safe.
"Any company that handles sensitive personal data must have a full user-centric governance policy in place to regulate and control the movement of data from one part of the company to another - over the next two years, 70% of UK businesses are planning to move their finance applications to the Cloud, raising new questions over Cloud security," he suggests. "But as only 30% of organisations have any kind of Cloud governance plan in place, the attention will be less on the Cloud service providers and more on the integrity of the individual firms' security policies."
Ray Welsh, head of marketing at The Bunker, is also concerned that organisations may try to cut corners in order to comply with the measures. "EC regulation is in consumers’ best interest, as without it many organisations will continue to take shocking shortcuts with data security in order to reduce their costs," he says. "However, legislation can’t be rushed in as a ‘knee-jerk’ reaction to recent incidents. Protecting customer data means building systems with security in mind from the ground up, rather than adding a thin layer of additional protection to make insecure systems comply."
It has also been emphasised that the issue of computer security and data protection isn't just the responsibility of the organisations - and businesses may need to take a role in educating their customers about their own responsibility in the security drive.
"Hacking is on the increase. Recently Sony, Sega and various UK and US government agencies have been attacked by hackers, making security in every part of an organisation even more critically important. But the burden of responsibility isn't just with the organisations," says Merriman. "Users need to accept that they also have a role to play in keeping their data safe. For example, in the consumer finance sector we have seen some banks looking to educate and empower their customers to take more responsibility for their own data by supplying free internet security software."
But not everyone is convinced by the proposals coming out of the European Commission. John France, managing director of European Payments at eWise, believes that so far the reports raise more questions than answers. "This sounds like a great concept, although I suspect it will be difficult to implement," he suggests. "I’d be interested to know how organisations will notify their customer(s). Will they have contact details linked to accounts, and will they then notify the banks who will in turn advise the customer? Who will coordinate the process, of the processor is hacked and they have outsourced their business to an aggregator, for example?"
He adds: "I also wonder if hacked organisations may hold back announcing the hack for fear of potential fall-out, or blame. And, will the legislation be adopted at an EU or domestic level? What about non-EU compromises?"
Paul Davis, director Europe from FireEye, is also concerned about the news. "The proposals by the EU to legally require companies to notify customers of data breaches is unlikely to be welcome news for most CSOs who are already struggling to adhere to a raft of compliance obligations," he predicts. "Nor, is it likely to increase customer’s confidence that their information is safe as it will increase the visibility of security breaches and cause further panic about the safety of their online data. However what it will do is raise the stakes for any company who is not investing adequately in protecting confidential data."
Meanwhile, some also remain unconvinced that the measures will ever even be enacted.