On 25 August, the EU’s new breach notification Regulation for electronic communication service (ECS) providers came into force. The Regulation supplements an earlier Directive that instructed ECS companies to notify their competent national authority in accordance with national laws.
Now the new Regulation defines a standard process across the entire Union: European ECS providers are required to provide notice of data breaches (defined in the Directive as the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Union).” It also states, “The provider shall notify the personal data breach to the competent national authority no later than 24 hours after the detection of the personal data breach, where feasible.”
The new ECS breach notification regulation is widely seen as a precursor to the proposed EU General Data Protection Regulation (GDPR) which will apply to all companies operating in the EU. The GDPR similarly includes a breach notification requirement, but backs it up with potential fines of up to 2% of annual turnover. It seems certain, then, that within a few years, all businesses will need to be ready with effective breach notification procedures. But a new survey undertaken by AlienVault shows that there is currently a huge resistance to public disclosure among EU companies.
AlienVault surveyed 300 security professionals across Europe. The results showed that only 2% of surveyed EU companies are willing to go public if they suffer a security breach. Thirty-eight percent are willing to inform the relevant authorities and 31% said they would tell their employees. A mere 11% said they would share the information with the security community.
Barmak Meftah, president & CEO of AlienVault, thinks this reluctance is because companies fear “damage to… brand and reputation could be significant.” The problem, however, is that an EU Regulation is an EU law – companies will have no legal choice. And the need to report the breach within 24 hours of detection is likely to be particularly testing.
In the US, where there are some but inconsistent disclosure laws, notification notices often include reference to the company ‘working with law enforcement.’ Law enforcement can sometimes request that disclosure isn’t made public if the hack is ongoing when discovered. If the hackers are unaware that the breach has been discovered, it is more likely that forensic investigators will be able to track them.
There is a possibility the EU ECS companies could use a similar defense for delaying notification. The Regulation says within 24 hours, “if feasible.” The national competent authority (in the UK, the ICO) could define helping law enforcement as something that makes 24 hour disclosure infeasible.
It is noticeable, however, that the ICO’s written guidelines on the Regulation make no mention of a 24-hour deadline. It suggests that ECS providers keep a log of all incidents and automatically send a copy to the ICO each month. “This means you won’t have to record the information twice and will meet your requirement to notify any security breaches without unnecessary delay [our emphasis].” On this basis it would seem that the EU is demanding 24 hour breach notification, business is reluctant to make any notification, and – at least in the UK – the national competent authority is not particularly enforcing it.