Thales Blog

European Data Breach Notification Laws To Affect All Businesses

February 22, 2010

Keeping tabs on company data is now a greater challenge than ever before as organisations become more fragmented and store ever increasing volumes of data, often scattered across the enterprise. Consequently, the opportunities for data theft and human error are numerous.

In certain industries and countries regulation is already playing a role in tightening data security and providing a better service to customers once a data breach has occurred. The financial services sector is an obvious example, but some countries, such as the US, have also adopted data breach notification laws across all industries. On the worldwide stage, Europe is arguably dragging its feet when it comes to data breach notification laws. There are, however, signs that things are changing.

In November last year, The European Parliament issued directive 2009/136/EC, primarily targeted towards the telecoms industry. The directive defines what is meant by the term data breach and introduces the concept of a data breach notification requirement in paragraph 61 “ soon as the provider of publicly available electronic communications services becomes aware that...[a data]...breach has occurred, it should notify the breach to the competent national authority. The subscribers or individuals whose data and privacy could be adversely affected by the breach should be notified with­out delay in order to allow them to take the necessary pre­cautions. "

The introduction of this directive is a promising step forward for the protection of consumer data and is set to significantly increase security once transcribed into national law. However, the telecoms sector is not alone in requiring increased data security measures and, with the growing number of data breaches, directives such as this should be introduced across all sectors. Indeed, the EC recognises this, and in paragraph 59 of the same directive states that "Pending a review to be carried out by the Commission of all relevant Com­munity legislation in this field, the Commission, in consul­tation with the European Data Protection Supervisor, should take appropriate steps without delay to encourage the application throughout the Community of the prin­ciples embodied in the data breach notification rules con­tained in Directive 2002/58/EC (Directive on privacy and electronic communications), regardless of the sector, or the type, of data concerned."

With the EC suggestion in mind, combined with the ever growing number of breaches, companies across all sectors need to be thinking about ensuring the security of their customer data. Tens of thousands of companies are already deploying encryption technologies in order to protect their customer data. The very nature of encryption means that data is secure even if many of the other enterprise security mechanisms fail and that’s why regulators will grow to depend on it. However, as the use of encryption grows, companies need to be able to manage (or control) a growing number of encryption keys securely. This is crucial not only to prevent keys from being lost or stolen, but also for important operational reasons such as on-demand recovery of encrypted data, automated updates and compliance reporting.

While last November’s directive covered the telecoms industry only, the EC clearly intends to extend its directives to other industries in the future. Companies must prepare themselves for this in order to ensure that they are not negatively impacted by data breach notification regulations if the suggestion to extend them does become law in the future.