Data Breach Notification and the European Commission Data Protection Directive
Proposed in 2012 by the European Commission, the new European Union (EU) Data Protection Directive is an important and significant reform aimed at strengthening the regulation of the processing of personal data. It gives more rights to citizens and consumers while adding new obligations for organizations that collect and hold personal data. Throughout the global privacy community, it is widely acknowledged that the impact of this reform will be massive, with an onus to proactively prove compliance is placed upon European organizations more than ever before.
One of the most significant and hotly debated changes has been around the aspect of data breach notification – a compulsory obligation to inform EU regulators of a security breach of personal data soon after it takes place. Breach notification is already implemented throughout most of the United States. However, it was been a strangely missing as a requirement here in the EU – where privacy laws were often thought be more stringent – until now. The data breach regulations that existed in the past were often dependent on variations in local national law, and companies were often confused about where and whom they should notify. The new directive seeks to harmonize the EU member state approach.
As of Sunday August 31st, throughout the 28 member states of the EU, internet service and telecommunications providers have 24 hours – from discovery to notification – to report data breaches to the relevant country’s regulator. This is not a part of the Data Protection Directive, specifically, but instead the existing EU e-privacy regulations of 2007, which are influencing the new data protection privacy regime.
24 hours isn’t long. Some would argue that in this short time, it would be challenging to determine what to report when the full extent of the breach could be unknown. Certainly, organizations do not like to “publish” security flaws externally – especially if they haven’t had time to eradicate the breach and fix the vulnerability.
If sufficient details are unavailable within the allotted period, an initial notification is required to be submitted within 24 hours and a more thorough follow-up is required within 72 hours. Some details that must be included in the alert are:
· Name of the provider
· Summary of the incident
· Number of affected individuals
· Content of data impacted and measures taken to mitigate adverse effects
If the breach originates outside of the EU, the directive does not apply, and much has been made about whether it is the location of the ISP, the location of the data, the location of the breach, or the location of the individual that should trigger jurisdiction.
If the breach involves personal data, the EU law mandates that affected individuals are alerted “without undue delay” from detection of the incident, according to the regulation. Personal data breaches are defined as “breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the European Union.”
Consumers, of course, welcome this level of transparency and openness. I personally have always felt that security is actually about openness, trust, and exchange of ideas, so my thoughts are that the more people talk about vulnerabilities, the more will be fixed.
At AvePoint, we have seen interest from more organizations than ever before in taking proactive and preventive action against data breaches through the use of automated tools across unstructured data environments. Organizations may have good policies in place, but often they rely almost entirely upon user integrity to carry out these policies. Often, through error, accident, misunderstanding, or even old fashioned maliciousness, data can spread, get copied, leak, or end up in the wrong places. The first question any organization must ask is “do I know where my data is?” before they can protect it.
AvePoint Compliance Guardian scans content, illuminates where it resides as well as who put it there, delivers reports, and then takes action to move, delete, notify, quarantine, or even add classifications to the data. It can carry these actions out across files hares, websites, and SharePoint to ensure a single view of your enterprise environment.
Once a data breach occurs, it cannot be undone. Now, thanks to new regulations, providers in the EU must report the breaches to the relevant regulator, so it cannot go unnoticed either. AvePoint Compliance Guardian can be the proactive approach required to show that this type of incident will not happen again – or better yet, prevent the incident from ever occurring in the first place.
