ZDNet UK / News and Analysis / Business of IT / IT Strategy

All data breaches must be made public

By Peter Hustinx, 29 January, 2009 12:53

Topics

Europe, Data breach, Disclosure, Notification

COMMENT

The good news is that Europe's lawmakers want to make it obligatory to disclose data breaches. The bad news is that the law will not apply to everyone. Those exemptions are in no-one's interest, says European privacy tsar Peter Hustinx.

Hardly a day goes by when we do not awake to press reports of security breaches resulting in the loss of thousands, sometimes even millions, of records. Hacked or malfunctioning databases can expose people to identity theft, financial loss and damaged reputation through the disclosure of sensitive information such as credit-card numbers, account details or medical records.

When these breaches occur, affected individuals ought to be notified so they can take the necessary steps. Outside Europe, laws have already been introduced requiring organisations to alert individuals affected by data breaches. These laws encourage companies to invest in security to avoid the bad publicity that could occur when breaches are made public.

Significant consequences
Because of the serious consequences of data breaches, one would hope European legislators would not shy away from adopting a mandatory consumer-notification requirement in the case of breaches that may adversely affect individuals' privacy.

Thus, the proposal to set up a security-breach reporting mechanism put forward by the European Commission and endorsed by the European Parliament and Council, in the context of the review of the EU E-Privacy Directive, should be well received by European citizens and stakeholders in general.

Unfortunately, if the Council and Commission approach prevails, European citizens will be disappointed to learn that the only organisations obliged to disclose breaches would be providers of publicly available electronic communications services.

That restriction means European citizens would only be alerted if their internet access or telephone company suffers security breaches. If their online bank is hacked or its security systems are cracked, enabling the unauthorised access to bank account information, citizens might not be notified.

Read this

Leader
Leader: Learning from the UN's security failure

The UN has found massive flaws in its internal IT security, for reasons that may be all too familiar in the boardroom

Read more +

So, unless the amendments proposed by the European Parliament are adopted by the Council, online banks and other e-businesses would be off the hook.

The reasons that justify the Council and Commission policy of such a limited approach are not entirely clear. The Commission has based its position on legal considerations — that is, the overall scope of the E-Privacy Directive is meant to regulate telecoms and access providers only.

That rationale is undermined by the existence of other sections in the E-Privacy Directive that have a broader application. Given the magnitude of the risks involved and the possibility of reducing them by passing legislation, one would hope that these types of technical legal arguments would not stand in the way of achieving such important policy objectives.

Sensitivity of information
Also, surely the type of information commonly held by banks, e-health and e-commerce providers is at least as sensitive as that which would normally be processed by publicly available electronic communications service providers.

Indeed, individuals are as likely to suffer harm from the undue disclosure of bank-account details as from the disclosure of, for example, their telephone records. Thus, the sensitivity of the information compromised weighs heavily in favour of including e-businesses in the obligation to notify.

Common sense and the overall benefit to European citizens clearly call for the widest possible application of laws requiring organisations that suffer a data breach to alert affected individuals. Such laws should, at a minimum, include e-commerce providers and providers of publicly available electronic communications services.

As the European Commission, Parliament and Council work together to find a compromise solution towards the final adoption of the E-Privacy Directive, I hope that the severe consequences of data breaches would help them make the appropriate choice.

Peter Hustinx is the European data-protection supervisor. His mission is to ensure the protection of people whose data is processed by the European Commission institutions and bodies, as well as to give advice on new legislation with data-protection implications.

Related stories

Hackers steal user data from Monster job site

Home Office rapped over data-protection breach

Gov't agencies fall short on data accuracy

Health trust loses 6,000 prisoners' data on USB stick

Yahoo advertisers head for Microsoft's platform

Talkback

It's quite clear that breaches of data involving government databases (eg Social Security, NHS etc) are also at least as sensitive as phone and bank records, so why are these also excluded?

Of course being a true government entity the EU will do everything it can to exempt itself and the national governments of its members from requirements it imposes on businesses

jamesmicallef 30 January, 2009 13:14 Reply

Post your comment

In order to post a comment you need to be registered and logged in

Log in or create your ZDNet UK account below

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

ZDNet UK Live

Jack Schofield

@apexwm >> "They can save maybe up to 1% of their IT costs" > I'd like to know how you propose this number? MS Office costs hundreds > per copy,...

1 minute ago by Jack Schofield on Late starters to Windows 7 migration may find it more costly, says Gartner
Jack Schofield

@apexwm > I would be curious to know what exactly they mean by "mini-notebooks are > less-than-perfect substitutes for standard low-end laptops"....

26 minutes ago by Jack Schofield on While PC shipments will grow to a million per day, netbooks are in decline
superglaze

Digital Britain author attacks the government for delaying the 2Mbps universal service commitment http://bit.ly/ciAS2s

LarsTS

Researchers at Norwegian and German institutes claim to have successfully cracked quantum cryptography equipment http://bit.ly/bfQQRt

benrothke

Quantum crypto detectors cracked by researchers http://tinyurl.com/32orrr8 @schneierblog - your thoughts?

dominic_victor

Suse Linux Enterprise Server for VMware ships: By Jack Clark, ZDNet UK, 2 September, 2010 17:11 VMware and Novell ... http://bit.ly/bL9BMy

Bhackett10

RT @ZDNetUK_News: Dell abandons battle to buy 3Par: HP has won the short, sharp race to add the data storage management company to i... http://bit.ly/aLg1tA

ZDNetUK_News

Suse Linux Enterprise Server for VMware ships: Businesses that buy vSphere licences will get SLES free of charge, ... http://bit.ly/adlav5

superglaze

Dell abandons battle to buy 3Par http://bit.ly/920Spv

qbspchelp

RT @ZDNetUK_News: iOS 4.2 available for iPad in November: The operating system update will allow wireless printing and audio and vid... http://bit.ly/azstPx

superglaze

@gruber @daringfireball It's here, but will it get used? Universal wireless charger standard gets public release http://bit.ly/doJO2u

ZDNetUK_News

Universal wireless charger standard gets public release http://bit.ly/cCdlZv

IP_v6

#IPv6 repost RT @pixeladdikt: RT @RIPE_NCC: ~"IPv6 news: using #IPv6 to connect everything http://bit.ly/dtJvh3 " ... http://bit.ly/aRkCNT

paulallen77

Windows Phone 7 released to manufacturers http://bit.ly/addml7

ImGoneBuzzirk

Windows Phone 7 released to manufacturers http://bit.ly/b9oigT

trejrco

RT @pixeladdikt: RT @RIPE_NCC: ~"IPv6 news: using #IPv6 to connect everything http://bit.ly/dtJvh3 " +ArchRock :)

Droid_Phone

Carter attacks coalition over 2Mbps delay http://bit.ly/aPTmax | #Droid #Android

Droid_Phone

Windows Phone 7 released to manufacturers http://bit.ly/9rL0sc | #Droid #Android

First Take

Tony - on the 28th, Hotmail EAS on iPhone didn't work because it wasn't publicly available then. Ignore the email, which was part of the internal...

6 hours ago by First Take on Hotmail Exchange ActiveSync
BrenoVale

RT @RIPE_NCC: Exciting IPv6 news: using #IPv6 to connect everything from people's homes to the smart grid http://bit.ly/dtJvh3 (by @mlamonica)

Latest in IT Strategy

Yahoo advertisers head for Microsoft's platform

Intel chief warns of US tech industry 'erosion'

Data.gov.uk redesign opens data access

Featured white papers

The benefits of email archiving

Email archiving lowers the risk of being unable to find important documents and help in achieving regulatory compliance and answering litigation requests.

Download now

Cloud Computing - What does it really mean?

Technology transforming business - The term cloud is used as a metaphor for the Internet, based on how theInternet is depicted..

Download now

Out-of-box Comparison Between Dell, HP and IBM blade servers

This compelling paper by Principled Technologies compares out-of-box experiences on Dell PowerEdge M600 Blade System, HP BladeSystem..

Download now

Inside ZDNet UK

Broadband Speed Test

How fast is your broadband?

Join ZDNet UK on Facebook

Join ZDNet UK on Facebook

White Papers

Free technology white papers

Downloads

Browse our free downloads

Jobs

Search for a new job

Hot Topics

ZDNet UK hot topics

Storage Resource Centre

Storage Resource Centre