There are no overarching security breach regulations in Europe, right? To some extent, no. At an EU level, amendments were made to the ePrivacy Directive in May 2009 that made breach notification compulsory for internet service providers and network operators in the case of personally identifiable information about customers is lost or stolen.
Where does that leave organisations operating in other sectors? Can they afford to rest on their laurels? Certainly not. In the absence of specific laws related to security breach notification—such as SB 1386, which was the first such law put in place by the state of California and which has led to similar legislation being enacted in the majority of U.S. states—European countries are using existing data protection laws to punish offenders.
Germany is the first EU member state to add new requirements to its existing legislation that are specifically focused on security breach notification. Already perhaps the most stringent interpretation of the EU’s 1995 data protection directive, the German Federal Data Protection Act was amended in 2009 to introduce mandatory security breach notification where data is lost and that loss is likely to have a serious impact on the rights of the individual concerned.
It also introduces new powers for data protection authorities to order organisations to remediate compliance failures and increases the fines and sanctions that can be imposed for non-compliance.
The UK is one country that, whilst it has not actually amended its data protection legislation, is increasingly using its powers to take enforcement action against private sector organisations and government agencies to force higher standards of data security where lapses have occurred.
It is using the seventh data protection principle—which states that all data processing must be undertaken in a secure environment, including preventative measures to ensure that data is not accidentally lost, stolen or destroyed—to force bodies that have suffered data breaches to sign an undertaking that they will ensure compliance and that data is adequately protected from such breaches of security. Since 2007, some 100 organisations and government bodies have been forced to sign such undertakings.
With laws and regulations changing and with new ones coming into force more and more regularly, the ability to keep up with the obligations that your organisations face is becoming an increasingly onerous task.