The European Union has tightened its data breach notification requirements. Some firms now have as little as 24...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
hours from the time of discovery to report a breach. Our company operates in both the U.S. and Europe, and we rely on a standard breach management process. How should we adjust our reporting processes so that they are compliant and yet workable?
In August 2013, the European Union (EU) moved to require providers of public electronic communications services (such as Internet service providers and telecommunications providers) to report suspected data breaches to authorities within 24 hours of detection. These providers must also deliver follow-up reporting that includes more detail within three days of an incident.
Ask the Expert
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The first question that any organization must answer is whether this new EU data breach notification regulation actually applies to it. The precise language in the commission's regulation is that it applies to "providers of publicly available electronic communications services." If there is any doubt about whether this term applies, consult an attorney for context-specific advice.
If the rule does apply to a company's operations, review the existing breach management process to determine whether it facilitates this type of reporting. The good news is that any organization that is already subject to the Payment Card Industry Data Security Standard (PCI DSS) is likely in good shape. These EU requirements are similar to PCI DSS breach notification requirements, which mandate "immediate" notification to your merchant bank and a complete incident report within three days. If an enterprise has this capability already, the right reaction to this new regulation may simply be to update its existing response plan to include an assessment of whether a breach affected personal information regulated by the EU and, if so, to conduct any required notifications.
If a company's existing process does not allow for this type of speedy notification, it will need to streamline the processes to get both management and legal counsel involved quickly and make a speedy decision as to whether notification is required.
Dig Deeper on Data Privacy and Protection
Related Q&A from Mike Chapple
It's hard to tell if a company is a HIPAA business associate, but a closer look at HHS documents helps. Expert Mike Chapple discusses a specific case...continue reading
There was speculation in the security world over whether the FedRAMP certification would be helpful or not. Now that it's in full use, Mike Chapple ...continue reading
Medical device companies are part of the health industry, but does that make them a HIPAA covered entity or business associate? Expert Mike Chapple ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.