Europeans Propose Getting Tougher on Data Breaches!

New Perils in a Connected World – by Stew Nelson

The European Union, EU, has had rules in place regarding storing and securing Personal Information since 2002.  These rules required breaches to be reported to National Regulators and the individuals affected by the data breach.  Now however after the recent spate of breaches, the European Digital Agenda Commissioner Neely Kroes announced that she was starting a public commentary to see if more regulation was required.  Last May regulators launched a trial balloon by proposing that EU regulations should be extended to online banking and shopping, social media and even online games.  As a side bar, Ms. Kroes singled out Sony for alleged lapse after their recent “gapping hole” was found in their firewall!

The good news is that unlike the U.S., the EU will adopt a common standard across all Euro Zone countries rather than having separate regulations in each state as is currently happening in the U.S.  The bad news is that the regulation will apply to data in “the cloud” regardless of where it is physically stored.  Presumably, this would extend the EU law to U.S companies if a European citizen’s data were stored in the U.S.

U.S. House Panel Follows Suit on Their Own Notification Law

Called the “Secure and Fortify Electronic Data Act”, (SAFE Data Act) the bill would require individuals to be notified only if their name, phone number or credit card numbers were compromised along with a Social Security number, driver’s license number, or other government ID.  The bill would not require notification if a Social Security number, credit card number or bank account number was compromised, unless it were combined with other personal information.  The bill must now go to the full Energy and Commerce Committee for their approval.

Key provisions of bill are:

  • The bill would preempt state laws already enacted in over 47 states.
  • Companies and other entities that hold personal information must establish and maintain appropriate security policies to prevent unauthorized acquisition of their data.
  • Following a breach, companies must notify law appropriate enforcement agencies within 48 hours after the discovery of a breach. (Unless that breach was an inadvertent and the breach was unlikely to result in harm.)
  • Organizations have 48 hours to begin notification after first taking steps to plug the hole to prevent further loss of data.
  • The Federal Trade Commission, FTC, would be granted authority over nonprofits for purposes of breach notification.

Stay Tuned! It is clear that breaches are going to become more of a headache for companies that store Personal Information. The moral is, if you don’t need to store PI…. Don’t!