Telecoms providers and data-protection authorities are worried by the
potential fallout of an upcoming European data-breach notification
law, according to the European Network Information Security Agency.
Enisa, the EU's information security policy adviser, outlined its
concerns in a report on the effects of the ePrivacy Directive issued
on Friday. The study is designed to provide guidance to
telecommunication providers as they prepare for the law, which forces
companies to inform customers about data breaches.
"Gaining and maintaining the trust and buy-in of citizens that their
data is secure and protected represents a potential risk to the future
development and take-up of innovative technologies and higher
value-added online services across Europe, and will be a key challenge
for organisations," said the report.
Under the ePrivacy Directive, from March telecoms companies must
publicise data breaches. In addition, the banking, healthcare and
small business sectors are being considered for inclusion in
data-breach notification law by the European Commission.
The study found that electronic communications companies are concerned
about the damage that breach notification could do to their brands.
They also wanted guidance on how to prioritise breaches according to
severity and advice on categorising types of data.
For their part, data-protection regulators are worried about having
sufficient resources to cope with notification, a lack of sanctions, a
lack of technical expertise, and how to raise data-protection
awareness, according to Enisa.
Public confidence
The ePrivacy Directive gives businesses a legal impetus to guard
against data breaches, in addition to the reputational impetus,
according to the EU body. High-profile incidents of data loss and
exposure have shaken public confidence in organisations' abilities to
keep personal data safe, it said.
"Every day there seems to be headlines that personal data has been
leaked, that someone has found a laptop on a train," Enisa data-breach
expert Sławomir Górniak told ZDNet UK.
Organisations must gain public trust that personal data will not be
divulged, otherwise they risk hindering the take-up of innovative
technologies, according to Enisa. Measures such as encryption can
mitigate the risk, said Górniak. "If you lose a laptop, and it's
encrypted, and you have the keys, then this is not a data breach," he
said.
In the UK, the data-protection regulator is the Information
Commissioner's Office (ICO). The regulator has the power to fine
organisations for breaching data-protection laws, but did not fine
Google over its Street View collection of personal data. In November,
the ICO levied its first fines, against Hertfordshire County Council
and employment services company A4e.
No comments:
Post a Comment