The European Union has tightened its data breach notification requirements. Some firms now have as little as 24 hours from the time of discovery to report a breach. Our company operates in both the U.S. and Europe, and we rely on a standard breach management process. How should we adjust our reporting processes so that they are compliant and yet workable?
In August 2013, the European Union (EU) moved to require providers of public electronic communications services (such as Internet service providers and telecommunications providers) to report suspected data breaches to authorities within 24 hours of detection. These providers must also deliver follow-up reporting that includes more detail within three days of an incident.
Ask the Expert
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The first question that any organization must answer is whether this new EU data breach notification regulation actually applies to it. The precise language in the commission's regulation is that it applies to "providers of publicly available electronic communications services." If there is any doubt about whether this term applies, consult an attorney for context-specific advice.
If the rule does apply to a company's operations, review the existing breach management process to determine whether it facilitates this type of reporting. The good news is that any organization that is already subject to the Payment Card Industry Data Security Standard (PCI DSS) is likely in good shape. These EU requirements are similar to PCI DSS breach notification requirements, which mandate "immediate" notification to your merchant bank and a complete incident report within three days. If an enterprise has this capability already, the right reaction to this new regulation may simply be to update its existing response plan to include an assessment of whether a breach affected personal information regulated by the EU and, if so, to conduct any required notifications.
If a company's existing process does not allow for this type of speedy notification, it will need to streamline the processes to get both management and legal counsel involved quickly and make a speedy decision as to whether notification is required.
This was first published in November 2013