2 data security breach regulation - data theft: will EC bring new regulation that helps citizens?
Recently we posted:
- 1 Data security breach regulation - does it matter?
| Data security breach |
| These are becoming an ever greater problem looking at some of the news stories |
| What are some of the regulatory developments regarding data security breaches |
| Read what the EU has in store for you. |
Data security breaches have become an ever greater issues as outlined here:
- 3 security - data theft: the failures in the U.S.
- ChoicePoint and other mishaps - chronology of data security breaches
The public knows about most of these data breaches in the US because there exist laws (that originated in California - California Security Breach Information Act (SB-1386) Click on link - Login as guest - click on this link again and you get defintion - fast and easy)) that require businesses to inform customers when there are data breaches. There exists a comprehensive list at the Privacy Rights Clearinghouse that sums up to over 153 million customer records compromised over the past few years. However, there are currently no corresponding laws or directives in the EU, and such data theft breaches could be occurring without customers or the public even being alerted to it.
Hence, the EU and, in particular the European Commission has taken the necessary steps to make changes in this area.
June 2006, the European Commission launched a public consultation on proposals for modification of the ePrivacy Directive, among others.
The consultation documents include a:
- Communication on the Review of the EU Regulatory framework for electronic communications and a
You can find these at Roadmap for the Reform of the EU’s Telecom Rules
They include proposals about:
- security breaches data security breach notification law (Click on link - Login as guest - click on this link again and you get defintion - fast and easy) and
- notification of loss of personal data or data security breach notification requirement,
The plan is that the European Commission will announce final proposals for revision of this Directive in October 2007.
The proposal will then go to the European Parliament and the Council, and typically it takes 2- 3 years before any proposal become law in the Member States.
Hence, Europe is unlikely to get a directive approved and, most importantly, implemented into national laws across 27 EU Member States before 2009. See also:
- what is the difference between directives, guidelines, laws, policies, specifications and standards?
CONCLUSION
While the EC has recognized the problem regarding data security breaches it will take some time until regulation has been implemented across EU Member States.
The problem appears to be that as long as we do not have a mandatory notification law in Europe, neither consumers nor regulatory agencies will receive notification about data security breaches. Without these it is difficult to establish how big the problem regarding data security breaches might be.
Judging from the U.S. experience, it seems that after data security notification requirements will be introduced, ever more cases of data security breaches are becoming known to the public and regulators. In turn, the severity of this problem becomes apparent only then. Until then, your guess is as good as mine regarding the number of data security breaches in Europe and how severe these are (e.g., confidential information of citizens being lost on a misplaced computer).
FOLLOW-UP
- 3 data security breach regulation - soon we should be able to make a business case for securit
SUBSCRIPTION
Why not get the updates and improvements for this checklist that will appear in the upcoming months mailed to you. Just register with your e-mail address below to receive such information and important regulatory changes via e-mail.
684