Answer

How to adapt to latest EU data breach notification requirement changes

The European Union has tightened its data breach notification requirements. Some firms now have as little as 24 hours from the time of discovery to report a breach. Our company operates in both the U.S. and Europe, and we rely on a standard breach management process. How should we adjust our reporting processes so that they are compliant and yet workable?

    Requires Free Membership to View

In August 2013, the European Union (EU) moved to require providers of public electronic communications services (such as Internet service providers and telecommunications providers) to report suspected data breaches to authorities within 24 hours of detection. These providers must also deliver follow-up reporting that includes more detail within three days of an incident.

Ask the Expert

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

The first question that any organization must answer is whether this new EU data breach notification regulation actually applies to it. The precise language in the commission's regulation is that it applies to "providers of publicly available electronic communications services." If there is any doubt about whether this term applies, consult an attorney for context-specific advice.

If the rule does apply to a company's operations, review the existing breach management process to determine whether it facilitates this type of reporting. The good news is that any organization that is already subject to the Payment Card Industry Data Security Standard (PCI DSS) is likely in good shape. These EU requirements are similar to PCI DSS breach notification requirements, which mandate "immediate" notification to your merchant bank and a complete incident report within three days. If an enterprise has this capability already, the right reaction to this new regulation may simply be to update its existing response plan to include an assessment of whether a breach affected personal information regulated by the EU and, if so, to conduct any required notifications.

If a company's existing process does not allow for this type of speedy notification, it will need to streamline the processes to get both management and legal counsel involved quickly and make a speedy decision as to whether notification is required. 

This was first published in November 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: