November 22, 2024

Europe Weighs Requiring Firms to Disclose Data Breaches

The proposal, which is being drafted by Neelie Kroes, the European Union’s commissioner for the digital agenda, aims to impose, for the first time, E.U.-wide reporting requirements on companies that run large databases, those used for Internet searches, social networks, e-commerce or cloud services. The proposed directive would supplant a patchwork of national laws in Europe that have made reporting mandatory in Germany and Spain, but voluntary in Britain and Italy.

While European lawmakers are trying to limit cybercrime, the plan by Mrs. Kroes has generated controversy because it would extend the obligation to report data breaches beyond traditional compilers of customer databases — telephone, transport and utility companies.

The technology industry supports the idea of a more systematic approach to the flagging of security breaches, but says the proposal needs more specific guidelines to ensure that notifications are required only when necessary and useful to consumers.

“Harmonization of the notification requirements for security breaches is important and should be addressed,” said Thomas Boué, the government affairs director in Brussels for the Business Software Alliance, whose members include Microsoft, I.B.M., Apple, Oracle and Intel. “More precise guidelines in the directive on the trigger and threshold procedures would make the system more workable.”

Cybercrime has risen sharply in Europe. A series of high-profile hacking attacks on governments and businesses has galvanized European lawmakers to focus on the need to strengthen and harmonize existing laws, which vary widely across the Union and differ on the levels of disclosure required.

In Britain alone, businesses and governments reported 821 cyberattacks in 2011, 15 percent of which resulted in the theft of data on individuals, according to the country’s Information Commissioner’s Office. The attacks represented a more than tenfold increase over the 79 incidents reported in 2007. In one of the breaches, health officials in Scotland reported, the medical records of 104 children had been compromised.

Big companies in Britain are attacked about once a week on average by cybercriminals seeking data, and small businesses are targeted once a month, according to a survey last year of 400 businesses by the accounting firm PricewaterhouseCoopers. The cost to the biggest companies of taking the steps necessary to repel an attack and deal with the damage caused by one can reach about £250,000, or $400,000.

Karin Retzer, a lawyer in Brussels who advises businesses on compliance with European data protection laws, said it was hard to say whether European lawmakers would ultimately adopt the rules, the first effort of the kind worldwide.

“We are in a fairly early stage,” said Ms. Retzer, of the firm Morrison Foerster. “There is a lot of opposition.”

Under E.U. law adopted in 2009, the operators of critical “communications infrastructure” are supposed to follow guidelines on reporting data breaches, but Ms. Retzer said enforcement was spotty at best. Many E.U. countries have applied the mandate only to phone companies, while others have rules on paper for Web businesses but have never enforced them.

Mrs. Kroes, a Dutch economist, made data security a priority when she took over the position of digital agenda commissioner in 2010. Early last year, she drafted the outlines of an E.U.-wide strategy for cybersecurity with Cecilia Malmstrom, the home affairs commissioner, and Catherine Ashton, the E.U.’s representative for foreign policy

The proposal was supposed to be released last September, but now is expected to be reviewed by the European Commission on Jan. 30. According to a copy of the plan seen by the International Herald Tribune, the new reporting requirements would be applied to, among others, the “enablers of Internet services, e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services, application stores.”

The proposal directs E.U. countries to impose penalties on organizations that do not heed the notification rules, and requires them to craft national disclosure laws that are “appropriate, effective, proportionate and dissuasive.”

Article source: http://www.nytimes.com/2013/01/17/technology/17iht-data17.html?partner=rss&emc=rss