November 22, 2024

Europe Weighs Requiring Firms to Disclose Data Breaches

The proposal, which is being drafted by Neelie Kroes, the European Union’s commissioner for the digital agenda, aims to impose, for the first time, E.U.-wide reporting requirements on companies that run large databases, those used for Internet searches, social networks, e-commerce or cloud services. The proposed directive would supplant a patchwork of national laws in Europe that have made reporting mandatory in Germany and Spain, but voluntary in Britain and Italy.

While European lawmakers are trying to limit cybercrime, the plan by Mrs. Kroes has generated controversy because it would extend the obligation to report data breaches beyond traditional compilers of customer databases — telephone, transport and utility companies.

The technology industry supports the idea of a more systematic approach to the flagging of security breaches, but says the proposal needs more specific guidelines to ensure that notifications are required only when necessary and useful to consumers.

“Harmonization of the notification requirements for security breaches is important and should be addressed,” said Thomas Boué, the government affairs director in Brussels for the Business Software Alliance, whose members include Microsoft, I.B.M., Apple, Oracle and Intel. “More precise guidelines in the directive on the trigger and threshold procedures would make the system more workable.”

Cybercrime has risen sharply in Europe. A series of high-profile hacking attacks on governments and businesses has galvanized European lawmakers to focus on the need to strengthen and harmonize existing laws, which vary widely across the Union and differ on the levels of disclosure required.

In Britain alone, businesses and governments reported 821 cyberattacks in 2011, 15 percent of which resulted in the theft of data on individuals, according to the country’s Information Commissioner’s Office. The attacks represented a more than tenfold increase over the 79 incidents reported in 2007. In one of the breaches, health officials in Scotland reported, the medical records of 104 children had been compromised.

Big companies in Britain are attacked about once a week on average by cybercriminals seeking data, and small businesses are targeted once a month, according to a survey last year of 400 businesses by the accounting firm PricewaterhouseCoopers. The cost to the biggest companies of taking the steps necessary to repel an attack and deal with the damage caused by one can reach about £250,000, or $400,000.

Karin Retzer, a lawyer in Brussels who advises businesses on compliance with European data protection laws, said it was hard to say whether European lawmakers would ultimately adopt the rules, the first effort of the kind worldwide.

“We are in a fairly early stage,” said Ms. Retzer, of the firm Morrison Foerster. “There is a lot of opposition.”

Under E.U. law adopted in 2009, the operators of critical “communications infrastructure” are supposed to follow guidelines on reporting data breaches, but Ms. Retzer said enforcement was spotty at best. Many E.U. countries have applied the mandate only to phone companies, while others have rules on paper for Web businesses but have never enforced them.

Mrs. Kroes, a Dutch economist, made data security a priority when she took over the position of digital agenda commissioner in 2010. Early last year, she drafted the outlines of an E.U.-wide strategy for cybersecurity with Cecilia Malmstrom, the home affairs commissioner, and Catherine Ashton, the E.U.’s representative for foreign policy

The proposal was supposed to be released last September, but now is expected to be reviewed by the European Commission on Jan. 30. According to a copy of the plan seen by the International Herald Tribune, the new reporting requirements would be applied to, among others, the “enablers of Internet services, e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services, application stores.”

The proposal directs E.U. countries to impose penalties on organizations that do not heed the notification rules, and requires them to craft national disclosure laws that are “appropriate, effective, proportionate and dissuasive.”

Article source: http://www.nytimes.com/2013/01/17/technology/17iht-data17.html?partner=rss&emc=rss

The Big Picture: Local Laws Fighting Fat Under Siege

In some cases, lawmakers are responding to complaints from business owners who are weary of playing whack-a-mole with varying regulations from one city to the next. Legislators have decided to sponsor state laws to designate authority for the rules that individual restaurants have to live by.

Florida and Alabama recently adopted such limits, while Georgia, Tennessee and Utah have older statutes on their books. Earlier this year, Arizona prohibited local governments from forbidding the marketing of fast food using “consumer incentives” like toys.

And this week, Ohio Gov. John Kasich signed the state budget, which contains sweeping limitations on local government control over restaurants.

“All of sudden we’re seeing this legislation get slipped into pending bills at the 11th hour under the radar of public health advocates, which will pre-empt local governments from adopting policies that would improve health in their communities,” said Samantha Graff, senior staff lawyer at Public Health Law Policy, a nonprofit group that works to combat obesity, among other issues.

The new state laws will have no effect on a federal law that requires menu labeling by chains with 20 or more restaurants by 2013. But more than half of the nation’s restaurants will not be required to meet the federal rules for listing calories and fat content.

Sue Hensley, a spokeswoman for the National Restaurant Association, said it supported the efforts of its state members to protect restaurants from what she described as “a patchwork of regulation.”

“We feel it is in the best interests of the consumer to have one uniform standard,” Ms. Hensley said.

Public health advocates worry that the new laws will stall a movement among cities and counties that are putting in place a wide range of policies and tools aimed at stemming the rising tide of obesity among their residents. The mayor of Oklahoma City, Mick Cornett, for example, has challenged its citizens to lose a million pounds collectively, and cities around the country have worked to ensure that more nutritious meals are served at schools.

Towns and cities like Louisville, Ky., often serve as laboratories where new policies can be tested and tweaked, to develop public support that then unfolds across states and even nationally. The federal law passed last December that will set nutritional standards for food sold or otherwise provided in schools nationally is one example: Requirements for healthier foods in school cafeterias began in local school districts.

“This battle will involve policy changes at all levels of government, but it is easier fought locally because it allows greater accountability to ensure implementation and addresses the unique needs of communities,” William H. Roach Jr., chairman of the American Heart Association, wrote in an e-mail.

Margo G. Wootan, director of nutrition policy at the Center for Science in the Public Interest, a nonprofit research and advocacy group, said state restaurant groups were leading the recent pushes for state legislation that pre-empted local governments. “Politicians go out to eat a lot, so restaurant owners know their state lawmakers very well,” Ms. Wootan said. “They’re quite formidable opponents.”

State legislators who have sponsored pre-emptive legislation in Florida and Alabama say they were contacted by their state’s restaurant associations, which expressed concern that California’s latest food rules would be adopted by their own local governments.

For example, the Los Angeles City Council banned fast food restaurants in South Los Angeles, where rates of poverty and obesity are high. In April, the Santa Clara County supervisors adopted a policy that forbids fast food restaurants from selling meals with toys, like those connected with movie promotions.

“We didn’t want to give those kinds of things a chance to become a problem for the restaurant industry here,” said Steve Crisafulli, the Florida state representative who sponsored the law limiting local authorities’ ability to regulate restaurants in their jurisdiction. “It’s always easier to take care of these things before they become an issue rather than after the fact.”

Article source: http://feeds.nytimes.com/click.phdo?i=55244ff9a282f88f2687a1ff40cf7c84

Scrutiny Lags as Jets Show Effects of Age

They thought they had solved the problems.

But the five-foot hole in the roof of a Southwest Airlines 737 this month and other recent incidents indicated that they had not. In fact, a stream of safety directives from the Federal Aviation Administration in the years since the Aloha incident shows that structural cracks from metal fatigue remain a persistent problem on older planes.

Chillingly, the agency said in one directive that the discovery of some of the most serious damage had been “a purely random occurrence.”

Safety experts say that the industry and regulators rely far too much on a patchwork of rules that are largely reactive: each time a problem in one part of the plane is found, inspectors add that area to their checklists. Late last year, the F.A.A. itself acknowledged the seriousness of the issue when, for the first time, it issued a rule to set flying limits for aging aircraft. “The potential for catastrophic structural failure,” it said, “is very significant.”

Even so, the F.A.A. took more than four years to write the rule, as airlines objected that it would reduce the value of their planes and force them to ground some they thought could still fly. In response, the F.A.A. toned down the rule, extending a deadline for plane makers to come up with the lifetime limits.

John J. Goglia, a former member of the National Transportation Safety Board, which investigates accidents, says the F.A.A. needs to do more than wait for the industry to set plane-retirement deadlines and rely on the airlines to do piecemeal inspections. The Southwest incident showed, he said, that the agency should order thorough inspections of a couple of the older and most heavily used 737s, using the latest technologies, to determine where cracks might develop.

Right now, he said, “it looks like you’re putting Band-Aids on the airplane.”

Referring to both the Southwest incident and an earlier one in 2009, in which an 18-inch hole appeared in another Southwest 737, he said, “Here’s a case where we have a small hole, a big hole and if we’re not going to do something serious about the entire airplane, we’re going to end up with a smoking hole.”

F.A.A. and industry officials say they are reviewing their policies on aging planes. But they note that fatigue problems have not caused any deaths on jetliners since the Aloha accident, even with millions of flights a year in the United States.

J. Randolph Babbitt, the head of the F.A.A., and Boeing officials said last week that it was too early to conclude that the latest Southwest incident stemmed from metal fatigue. He said investigators were also examining Boeing’s manufacturing processes and other possible causes.

But whatever the outcome of the investigation, the older 737s have provided an early warning about the kinds of fatigue damage that other planes could eventually face. They have been sold since 1968, although the Southwest planes that have had problems are part of the series that was redesigned after Aloha, built from 1993 to 2000.

The 737 has been an industry workhorse because it is economical for both short and long trips. These planes tend to accumulate the highest number of flights. And given the weak financial state of the industry, some airlines have held on to them longer.

But engineers have long known that metal fatigue can develop as a plane’s cabin is pressurized then depressurized over tens of thousands of takeoffs and landings. Crucial parts of the fuselage can develop cracks, much like a paper clip that snaps after being bent back and forth. It is when many small cracks link up that they pose a danger.

The Aloha plane had flown nearly 90,000 flights. Boeing had pleaded with the carrier to ground its most-used planes and fix corrosion problems. Federal investigators faulted Aloha’s poor maintenance practices for the accident.

Nicola Clark contributed reporting.

Article source: http://www.nytimes.com/2011/04/18/business/18plane.html?partner=rss&emc=rss