The European Commission has published proposals for a change in law that would force telecoms firms to notify regulators and customers of all breaches of data security including, for example, lost laptops and stolen backup tapes. A similar but more far reaching law in California has resulted in a deluge of notifications of data breaches by companies such as Time Warner and Bank of America. It may not be long before Europe follows suit, with regulatory and business drivers impacting more and more companies.
Rob Gretton, Business Development Director for DISUK commented: “This legislation is a step in the right direction as anything that empowers the individual and gives them more information is a good thing. However, it doesn’t go far enough and close the loophole of ‘if the data is exposed, how do we ensure that it cannot be misused’.
“As the proposal stands, it forces companies to disclose when information or personal identities are at risk, allowing individuals to be informed and to take action. Unfortunately, this permits businesses to continue to put the onus on the individual to rectify problems caused by them, the owners of the exposed data source. For far too long, large companies have been able to shrug their shoulders and say sorry, leaving the little guy to reclaim his identity or credit rating, which can take years and be a very painful process, through no fault of his own. There has to be some element of accountability for exposure of data. We need to encourage an ethos of ethical corporate responsibility.”
Identity theft is not just a problem on the Internet; it can happen in much less visible ways. Thefts and losses of backup tapes mean that large volumes of personal information such as, mother’s maiden name, date of birth or national insurance number are exposed to potential misuse at any time in the future. Companies need to do more to protect themselves and their customers against losses of personal data to avoid damage to corporate reputations by being exposed under this proposed legislation. According to Rich Mogull, Research Vice President for Gartner, key ways for companies to safeguard personal data are:
1. deploy content monitoring and filtering (CMF)
2. encrypt backup tapes and (possibly) mass storage
3. secure workstations, restrict home computers and lock portable storage
4. encrypt laptops
5. deploy database activity monitoring
Background information (source: OUT-LAW.COM, 12th September 2006) ‘The Review of EU Regulatory Framework for electronic communications networks and services’ proposes that all suppliers of “electronic communications networks or services” be forced to notify the regulators and its customers of any breaches of security that would result in customers’ personal data being made available to others.
The current EU Directive does not instruct network providers to notify customers of security breaches, only of security risks. UK law follows the Directive closely via the Privacy and Electronic Communications Regulations of 2003. The Act says: “Where . there remains a significant risk to the security of the public electronic communications service, the service provider shall inform the subscribers concerned of (a) the nature of that risk; (b) any appropriate measures that the subscriber may take to safeguard against that risk, and (c) the likely costs to the subscriber involved in the taking of such measures.”
The security changes are part of a wider EU consultation which runs till 27th October 2006. If the new law comes into effect as proposed, suppliers of electronic communications networks and services must consider the full cost of data security breaches involving personal information.
In California, which first passed a notice of security breach law, reports of personal identity infringements have soared and they are far more widely reported in the public arena. Thirty three US states have since followed suit and a series of thefts and losses of backup tapes, laptops and hard drives have exposed the data of millions of people to potential loss and misuse. Many of the reported losses would have remained hidden without the notification law (full details are listed in the DISUK Definite Guide to Data Loss).