EU Data legislation amendments

2011 was not a vintage year for data security, and IT professionals will want to forget its many high-profile data breach incidents. So is 2012 set to improve on that record? Reports suggest that a draft update of European Union privacy legislation is seeking to renew focus on some key issues surrounding data security and information assurance.

Although the fact that the EU had been looking at updating existing data privacy legislation was no secret, adverse publicity caused by the data breaches was expected to spur a tightening-up of data security; the relative prosperity being enjoyed by the IT security products and services sector seemed to support this prognosis. However, it doesn't matter how big the investments are; security solutions can only solve part of the problem. The fact remains that more effective application of corporate security policies was needed to treat the rot. Despite years of warning, organisations still seem slow to implement/enforce information security policies; this perceived governance gap has left the way open for legislators to get tough.

Data security legislation has been a long time coming, and is still a thing of the future. It could be two years before the latest EU proposals come close to being ratified, and even then they have to gain approval from member-state governments before they come into effect. This will give lax enterprises the chance to reinforce their procedures – if they are willing to take it.

Security 'game-changers'

The data security landscape has experienced some important changes in recent years. The EU's desire to reduce data breaches by encouraging organisations to take greater responsibility for implementing preventative measures is based partly on a recognition that cybercrime now poses a serious threat to the fiscal stability of the economically-embattled Eurozone; it also wants to introduce legislation that harmonises the EU with similar initiatives in the US. Sound economies the world over require a confident trading environment, and although most organisations have wised up to the harmful consequences of cyber attack and implemented protective technologies, many fail to acknowledge data breaches to the outside world.

The 2011 data breaches were some of the biggest to have emerged. They included: Sony PlayStation Network; Lockheed Martin; Citigroup; and Epsilon (various Sony divisions were hit six times between Q2 and Q3 2011). The consequences of being a victim of a data breach – as the result of an intended or unintended criminal activity, say – have an adverse effect on corporate reputation. Breaches that have occurred in spite of an organisation's measures to protect data-sets, and ensure that staff follow established security procedures only give the perception that the company has been careless or negligent.

Speaking in Brussels in December 2011, EU vice president Viviane Reding restated her concern that the extent of the problem could be partially remediated if less sensitive data is retained. She said that individuals should be better able to delete what they had already supplied, and be confident that online entities were purging data that was no longer needed.

Reding calls for a "right to be forgotten". The Internet has an almost unlimited search and memory capacity, she points out – "even tiny scraps of personal information can have a huge impact, even years after they were shared or made public. I want to empower individuals to delete their personal data any time they want, where there are no other legitimate grounds for a controller to keep their data any longer".

Reding also wants to extend data breach notifications to "all sectors". She says: "Data controllers will have to report security breach incidents to data protection authorities and to the individuals whose personal information has been compromised." The EU vice president wants to see data security codes and certification schemes brought in.

Paying the price

Meanwhile, the new EU draft proposals evoked strong opinion from both businesses and data security providers when a leaked copy of the draft proposal document was published online. Two issues contained in it proved to be the most contentious: the fact that enterprises and organisations found to have mishandled customer data, or not protected it sufficiently, could face swingeing fines based on up to 5 per cent of turnover; and new resources for data governance.

If ratified, such rules would result in fines of millions of Euros for large enterprises – those often found to be most exposed in high-profile data breach revelations over the last two years.

In theory the same punitive rules would apply to public sector bodies that experience breaches, such as the UK's National Health Service and the HM Revenue & Customs. The stipulations would apply both to customer data – account details, payment details, and purchase history information – as well as information gathered and held by social media providers, and even to providers of cloud computing services.

As such the proposals do represent the first legal framework that would apply the same legal requirements to a variety of online data repositories. Further penalties would be incurred if breached organisations do not notify data protection authorities – such as the Information Commissioner's office in the UK – as well as the affected parties (namely, business partners and customers) within 24 hours of the incident occurring.

To ensure that data protection as an issue does not fall between different directorates or departments – as it often does between the HR, legal, and IT functions – the EU wants organisations with more than 250 employees to appoint a dedicated staff resource (someone like an information assurance security officer, say) cast in a dedicated, full-time data protection role. *

Further information

• www.sophos.com/en-us/
• www.statewatch.org/news/2011/dec/eu-com-draft-dp-reg-inter-service-consultation.pdf