Europe Weighs New Data Breach Rules For Critical Companies - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity

Europe Weighs New Data Breach Rules For Critical Companies

Mobile networks, banks, energy companies and other critical infrastructure providers could be required to report all breaches to EU authorities.

European businesses that provide critical infrastructure services, including banks, stock exchanges, telecommunications firms and utilities, may soon be required to disclose to authorities any data breach they suffer.

That proposal is contained in draft regulations currently being circulated by the European Union's executive committee. The committee plans to formally introduce the recommendation in February 2013, after receiving feedback from the European Parliament and the 27 different countries in Europe that comprise the EU.

An EU spokesman didn't immediately respond to a request to review a copy of the executive commission's draft proposal. But EU officials said the new regulation is needed to remove the stigma associated with data breaches, as well as to improve information sharing between providers of critical infrastructure services, who are being increasingly targeted by hackers.

"We want to change the culture around cybersecurity from one where people are sometimes afraid or ashamed to admit a problem, to one where authorities and network owners are better able to work together to maximize security," an unnamed EU official told Reuters, which first reported the news of the EU's draft proposal.

[ Learn more about U.S. critical infrastructure security. See Cyberattack Reports On U.S. Critical Infrastructure Jump Dramatically. ]

The draft report from the EU's executive committee suggests that critical infrastructure is too valuable to be left to voluntary -- if any -- reporting requirements. "Cybersecurity incidents are increasing at an alarming pace and could disrupt the supply of essential services we take for granted such as water, sanitation, electricity or mobile networks," the report said, according to news reports. Furthermore, the report suggested that businesses in Europe currently "lack effective incentives to provide reliable data on the existence or impact" of data breaches or information security incidents.

"Minimum security requirements should also apply to public administrations and operators of critical information infrastructure to promote a culture of risk management and ensure that the most serious incidents are reported," according to the draft report.

Europe currently lacks a single data-breach notification law. Instead, not unlike in the United States, data-breach notification requirements in Europe are governed by a patchwork of country-level provisions. The different laws have differing thresholds for triggering notifications, and differ also as to whether individuals, regulators or both should receive notifications.

"For example, a legal obligation to notify regulators and affected individuals (under certain circumstances) of data breaches exists in Germany and Norway," according to a recent analysis of European data breach notification requirements published by attorneys Christopher Kuner and Anna Pateraki at Wilson Sonsini Goodrich & Rosati. "In contrast, some countries, such as Austria, have a legal requirement to notify individuals but not the regulator, whereas other countries have a voluntary regime based on codes and guidelines issued by regulators, such as Denmark, Ireland and the United Kingdom."

A draft data protection regulation currently being debated by the EU would also create a single data breach notification requirement for all of Europe. But EU watchers have said that debate over the proposed changes may take at least another year or two to be resolved.

Regardless of the timing, data security and breach notifications are clearly on the EU's agenda. "The European Commission's work on critical infrastructure shows the crucial importance of cybersecurity in today's world," said Brussels-based Pateraki, who specializes in privacy law, via email. "In parallel to the ongoing EU data protection reform, which will also enhance data security, the commission is planning to move forward with a proposal on critical information infrastructure protection (CIIP) probably in early 2013. It is expected that the commission's CIIP proposal will build on the existing proposal for a general data breach notification regime and might include a similar regime for security breach notification in critical sectors."

Note: Story updated to include Anna Pateraki's quote.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Nathan Golia
Nathan Golia,
User Rank: Apprentice
12/19/2012 | 2:39:52 PM
re: Europe Weighs New Data Breach Rules For Critical Companies
I'm a little surprised this kind of regulation wasn't already in place.

Nathan Golia
Insurance & Technology
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Flash Poll