With the severity of data breaches on the rise, will Europe adopt U.S.-style mandatory disclosure of data privacy regulation violations?
By Mathew Schwartz
At the RSA Conference, IAPP London correspondent Mat Schwartz put an ear to the European debate on mandatory breach notifications. Here's what he heard.
To notify, or not to notify?
Mandatory data breach notifications—public alerts whenever consumers' personal information has been lost or stolen—are de rigueur in the United States. As a result, many companies have improved their data security safeguards and been forced to publicly apologize and compensate data-loss and identity theft victims.
Now, European Union officials are debating whether to make U.S.-style data breach notifications mandatory throughout the EU's 27 member states, or even to go one better and impose civil penalties, including jail time, for violating data privacy statutes.
The ball got rolling in November 2007, when the European Commission (EC) suggested revising its "Directive on Privacy and Electronic Communications" (#2002-58) to include new security and data privacy requirements, including mandatory data breach notifications for "accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data."
The only wrinkle: the directive applies solely to telecommunications companies and ISPs. Therefore the goal of the revision, says Anna Buchta, a policy officer for the EC, is to "harmonize" existing telecommunications and ISP laws and thus ensure an EU-wide "level playing field."
The best consumer protection
But in this era of rampant data breaches, is such a narrow update what's really needed? "Having it just for ISPs and telecoms providers? I'd say forget about it, it's got comparatively little use to the consumer," says Martha Bennett, research director for financial services at Datamonitor in London.
In fact, some EU agencies also want stronger medicine. The Council of Ministers, which fashions directives together with the EC and the European Parliament, has argued for applying the revised directive to all entities handling private data. Likewise, the European Network and Information Security Agency (ENISA), which advises the EU on information security matters, recommends notifications for raising consumer, business and government awareness of today's security shortcomings.
Buchta counters that the purpose of an EU directive is "to reflect only what is already in place in most member states" and thus "should be a quite high-level and general obligation which we hope would not lead to any conflicts with other security obligations."
Five-legged sheep or harmony?
Will Europe find harmony through a proactive approach to data breach disclosure? Or will it settle for the lowest common denominator, producing legislation that Bennett says all too often resembles "the five-legged sheep with three tails?"
The progressive side of the fence includes the strict data protection laws of Germany and Scandinavia, where "opt-in" has been the dominant social principle for decades . And in Italy, which only recently passed a data privacy law, violators now face jail time.
Other countries, meanwhile, still have weak data privacy penalties. In the UK, for example, while public sector organizations must disclose data security incidents to the Information Commissioner's Office (ICO), it can impose a maximum fine of only £5,000 ($7,400). "The Information Commissioner is about as efficient as a paper tiger," notes Bennett.
And it shows: "I've regularly gone onto corporates and advised on security breaches which should never have happened: putting private data on test servers and making that live, leaking information onto Web sites in unsecured form, user data on memory sticksâ€¦" says Simon Briskman, a partner at London-based law firm Field Fisher Waterhouse LLP. "My message is that that hasn't changed in the last 10 years or so. I was doing the exact same job in '97 as in '08."
Giving UK enforcers some bite
Finally, after more than a year of embarrassing data breaches involving such agencies as the Ministry of Defense and HM Revenue & Customs, the government is increasing the ICO's power to audit organizations and levy fines. Richard Thomas, the UK Information Commissioner, is pushing for fines of up to 10 percent of a company's revenue. As he noted in a recent speech at the RSA Europe conference in London, "the threat and reality of substantial penalties will concentrate minds and act as a real deterrent."
Interestingly, however, he's against mandatory data breach notifications. "Put simply, where the risks posed by security breaches are serious, a notification requirement would be too timid. If they are not, it would be excessive." Furthermore he worries that an overly broad notification rule would result in "breach fatigue" and lead to public apathy.
Flogging, or the scarlett "B"
Some experts, however, argue that Thomas is overlooking the most effective data breach deterrent of them all. "Being forced to tell customers 'we have screwed you' with all the attendant press coverage has had a major impact of boards of directors paying attention to security—orders of magnitude more than reporting regimes like [Gramm-Leach-Bliley] and Sarbanes-Oxley," notes Gartner Inc. analyst John Pescatore.
Of course if the EU mandates public data breach notifications, the UK will have to get on board. But it wouldn't happen overnight: after the EU publishes the revised directive—anticipated to occur in mid-2009—member states typically pass national laws which instantiate it about 18—24 months later.
Even if mandatory notifications don't make it into the directive, however, the legislative writing is on the wall, especially in the UK. Over the next five years, predicts Briskman, organizations that continue to treat information security as a "Cinderella subject" and fund it accordingly will get burned. "It's time that people at board level wake up to these issues.
Mathew Schwartz, a freelance journalist based in England, has covered information security issues for more than a decade.