Thales Blog

New EU Regs Pave The Way For Breach Notification

August 15, 2013

Security BreachAs you might already be aware, in less than two weeks’ time, EU Commission Regulation (EU) No 611/2013, which concerns data breach notification rules, enters into force.  When this happens, if you are a telecoms operator or internet service provider in Europe, you will be required to notify the appropriate authorities (e.g., the ICO or OFCOM) within 24 hours of detecting theft, loss or unauthorised access of personal customer data like e-mails, calling data and IP addresses.

This regulation comes into effect ahead of the broader ‘Draft Data Protection Regulation’, which is going to require a similar response from any and all European businesses (not just telecoms providers and ISPs) that handle personal data – therefore affecting almost everybody.

Of course, breach notification regulations are nothing new and U.S. readers will no doubt be familiar with Senate Bill 1386 – the first regulation dictating that residents of California must be informed should unauthorised persons access their data.  Since then, at least 48 states and U.S. territories have enacted laws requiring notification after some form of breach.

An important caveat of SB 1386, and indeed the new EU regulation that comes into effect on the 25th August, is that if the personal customer data accessed or lost has been encrypted, there is no need to notify customers as their details will not be at risk. Specifically, (EU) No 611/2013 states that:

“…notification of a personal data breach to a subscriber or individual concerned shall not be required if the provider has demonstrated to the satisfaction of the competent national authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.”

Clearly, it is very important to implement policies and solutions that ensure any sensitive customer data you store is unintelligible, but a further consideration for European organisations involves conducting business with international next-door neighbours.

As with all European directives, member states will enforce the terms of the new regulations differently. If this concerns your business, it will be no good to meet the requirements of country A if you fail to meet the data breach notification rules of country B. To avoid potentially negative consequences, you will have to make sure that you are able to do so.

This latest EU regulation amendment serves an important reminder of the need to take the security of data seriously. There continues to be a non-stop stream of data breaches hitting the headlines, showing that it is not a case of if, but when, most businesses will suffer at the hands of either hackers or insider threats.

You should ask yourself if your policies and systems are simple and powerful enough to adapt to regional compliance variations. Can you ensure that your sensitive data is sufficiently obfuscated in the event of a breach?  It’s only when you can answer yes that you will be able to protect your business from the financial and reputational penalties at stake.