Earlier this year, the European Commission drew up a list of proposals for its overhaul of EU data protection legislation. Some of the new plans raised a few eyebrows, notably the ability for regulators to fine organisations up to 2 percent of annual income for serious data breaches and an obligation for companies to inform authorities of those breaches within 24 hours.
Are criticisms of the EC’s proposals legitimate? Well, it cannot be argued that EU data protection laws need to be updated. The current legislation has been in place since 1995. While the underlying principles remain valid, an increasingly online society combined with a rise in public data breaches, highlights the need for updated legislation.
Some quarters have described the new EU data protection law proposals as a 'tax' on firms holding customer data but if the draft legislation forces companies which hold customer details to take information security seriously, it can only be a good thing. At the same time, the EU needs to find a workable set of criteria without being too prescriptive.
It’s hard to oppose breach notification requirements, after all their goal is to motivate organisations to implement more effective information security policies and to equip individuals with the information they need to protect themselves. With mandatory public data breach disclosures, security receives more investment and gets better. However, care must be taken to avoid imposing an arbitrary deadline (as in the draft legislation) if this will lead to erroneous over notification that either damages commerce or results in frenzy of customers receiving a notification without adequate support. In many cases premature or false notification has the potential to be far more damaging that late notification.
Beyond punishing breaches and defending individuals, full disclosure of the circumstances behind a breach remains the best way for the information security community to learn how to better protect our information systems from the persistent and constantly evolving threats.
In any case, the best way for an organisation to avoid data breaches and the need for public disclosure is to implement a security policy of which the bedrock should be strong encryption. Indeed, at the Cloud Security Alliance Congress last week, I heard a privacy lawyer presenting a panel session on this very topic describe encryption as “a silver bullet when it comes to data privacy law.
It has been proven time and time again that encryption provides the most secure means to protect data in the event of loss or theft - provided that encryption keys are well managed. In many jurisdictions around the world, the use of encryption not only provides a security benefit but also acts as a ‘safe harbour’, providing a mechanism to avoid the need to publicly disclose data breaches.