Europe’s proposed new laws on data protection are burdensome and expensive, but may give companies incentive to put more measures in place to secure data, according to representatives of business interests.
The mandatory notification of data breaches “as soon as possible” normally within 24 hours has caused the most concern. But other elements of the European Commission’s proposed reform of the Data Protection Directive has alarmed many in industry.
Under the proposed law companies would be obliged to inform both the relevant Data Protection Authorities (DPAs) and all affected individuals of any data security breach, including unauthorized destruction or loss.
Organizations that fail to issue notifications about a personal data breach in a timely or complete fashion to the supervisory authority will face fines of up to 2 percent of their current revenues. Mark Fullbrook, director of IT security company Cyber-Ark, questioned the reason for a time limit: “If the goal of this law is to provide consumers with upfront information about the security of their information, then a 24-hour notification period is hardly going to enable that. If you look at any of the serious breaches that have occurred over the last year, not one of the affected organizations was able to articulate the true extent of the breach within a day.”
“I remain unconvinced that legislating around the disclosure of breaches actually provides any real incentive for organizations to employ best practices when it comes to data security. Let’s face it, imposing a fine or a time limit is just like putting a plaster over a gaping wound — it only goes so far,” he added.
Many security firms however were quick to see the business advantage in helping companies meet these new requirements. “The most effective way to identify exactly what data has been compromised, and thus generate accurate breach notifications within 24 hours, is by deploying centralized protective monitoring systems that automatically collect and analyze all log data generated by the IT infrastructure,” said LogRythh vice president Ross Brewer.
However Brewer also warned about the danger of “over-disclosure”, which, he said, is a risk as many companies don’t know what information has been compromised and may be forced to issues a blanket breach notification.
But the “cost of implementing security measures to proactively protect corporate information from potential data breaches and attacks, is far less than the ultimate cost of a data breach,” pointed out Aziz Maakaroun, managing partner of Outpost24 UK. “Rather than suffering from the financial and reputational damage that comes as a result of a data breach, surely it would be more beneficial for businesses to take steps to prevent data breaches from ever occurring in the first place.”
Consumers’ right to be forgotten also came under fire from industry. “Introduction of the so-called “right to be forgotten” goes beyond a justifiable desire to enhance individuals’ ability to erase their personal data on the Internet and creates a right that will be difficult to implement and that may have a chilling effect on the use of the Internet in the E.U. The new rules for allocating responsibility between data controllers and data processors will place a heavy burden on many E.U. companies to revise their contracts with non-EU service providers, a process over which they may have little control,” said Wim Nauwelaerts, partner in the privacy and data security practice at Brussels law firm Hunton & Williams.
“In a further difficulty, the new regulations also require ‘data portability’ which means businesses risk having to transfer valuable data to their competitors if requested to do so by the individuals themselves,” added Mark Owen, partner at London media law firm Harbottle & Lewis. “All this may well make it much more difficult for companies to use behavioral advertising techniques and will also place an administrative burden on insurance companies and suppliers of credit who routinely rely on statistical profiling. “
The Commission claims that the new measures will save European businesses money by unifying the bloc’s 27 different national data privacy laws. “Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors — a requirement that has led to unnecessary paperwork and costs businesses €130 million per year — the Regulation provides for increased responsibility and accountability for those processing personal data,” said the Commission.
However many companies will have to perform privacy impact assessments at a cost of around €14,000 (US$18,163). Companies with more than 250 people will also have to appoint a data protection officer.
“A big question is whether the business community will be willing or able to police itself. If it can’t, businesses could find themselves exposed to regular reviews by official regulatory bodies. The definition of a ‘breach’ will also have to be made clear. Will it depend on the number of records or documents exposed, for example, or on the type of information leaked? Organizations should prepare for both of these options,” said Christian Toon, head of information security for Iron Mountain Europe.
The incentive for companies to prepare for the new laws are increased fines based on global revenues — up to 2 percent of worldwide revenues for the most serious infractions. Commission experts said however that the fines would be proportional to the seriousness of the offense and that smaller businesses would not be fined for a first infraction.
Follow Jennifer on Twitter at @BrusselsGeek or email tips and comments to jennifer_baker@idg.com.