perspective Hardly a day goes by when we do not awake to press reports of security breaches resulting in the loss of thousands, sometimes even millions, of records. Hacked or malfunctioning databases can expose people to identity theft, financial loss and damaged reputation through the disclosure of sensitive information such as credit-card numbers, account details or medical records.
When these breaches occur, affected individuals ought to be notified so they can take the necessary steps. Outside Europe, laws have already been introduced requiring organizations to alert individuals affected by data breaches. These laws encourage companies to invest in security to avoid the bad publicity that could occur when breaches are made public.
Significant consequences
Because of the serious consequences of data breaches, one would hope European legislators would not shy away from adopting a mandatory consumer-notification requirement in the case of breaches that may adversely affect individuals' privacy.
Thus, the proposal to set up a security-breach reporting mechanism put forward by the European Commission and endorsed by the European Parliament and Council, in the context of the review of the EU E-Privacy Directive, should be well received by European citizens and stakeholders in general.
Unfortunately, if the Council and Commission approach prevails, European citizens will be disappointed to learn that the only organizations obliged to disclose breaches would be providers of publicly available electronic communications services.
That restriction means European citizens would only be alerted if their Internet access or telephone company suffers security breaches. If their online bank is hacked or its security systems are cracked, enabling the unauthorized access to bank account information, citizens might not be notified.
So, unless the amendments proposed by the European Parliament are adopted by the Council, online banks and other e-businesses would be off the hook.
The reasons that justify the Council and Commission policy of such a limited approach are not entirely clear. The Commission has based its position on legal considerations--that is, the overall scope of the E-Privacy Directive is meant to regulate telecoms and access providers only.
That rationale is undermined by the existence of other sections in the E-Privacy Directive that have a broader application. Given the magnitude of the risks involved and the possibility of reducing them by passing legislation, one would hope that these types of technical legal arguments would not stand in the way of achieving such important policy objectives.
Sensitivity of information
Also, surely the type of information commonly held by banks, e-health and e-commerce providers is at least as sensitive as that which would normally be processed by publicly available electronic communications service providers.
Indeed, individuals are as likely to suffer harm from the undue disclosure of bank-account details as from the disclosure of, for example, their telephone records. Thus, the sensitivity of the information compromised weighs heavily in favor of including e-businesses in the obligation to notify.
Common sense and the overall benefit to European citizens clearly call for the widest possible application of laws requiring organizations that suffer a data breach to alert affected individuals. Such laws should, at a minimum, include e-commerce providers and providers of publicly available electronic communications services.
As the European Commission, Parliament and Council work together to find a compromise solution towards the final adoption of the E-Privacy Directive, I hope that the severe consequences of data breaches would help them make the appropriate choice.
Peter Hustinx is the European data-protection supervisor. His mission is to ensure the protection of people whose data is processed by the European Commission institutions and bodies, as well as to give advice on new legislation with data-protection implications. This article was first published on ZDNet Asia's sister site, ZDNet UK.
Play video
Data Breaches Largely Due to Lagging Business Culture
Most companies enjoy "security" insofar as they haven't been targeted, or had an employee make a human error with catastrophic exposure. Price Waterhouse Cooper and Carnegie-Mellon's CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture--absent new eCulture, breaches will, and continue to, increase. As CIO, I'm constantly seeking things that work, in hopes that good ideas make their way back to me - check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: www.businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities--read the book BEFORE you suffer a bad outcome--or propagate one.
Posted by John Franks on Tuesday, February 24 2009 02:40 AM