EU considers uniform data breach law and mandatory 'cyber' insurance

Filed Under: Featured, Law & order, Privacy

European Commission logoBack in January the European Commission proposed an update to the data protection laws in the EU with the goal of unifying data breach notifications and clarifying their application throughout Europe.

There was a lot on the table, including defining which countries have jurisdiction for multinational organizations, rules for European companies performing data processing outside of the EU and hefty penalties for non-compliance.

Some of the more important things for individuals include a "right to be forgetten" provision and a clear definition that consent means people must opt-in, not opt-out. It would also eliminate the fees for getting access to the data a company is storing about you.

Naked Security is a big supporter of opt-in policies with regard to privacy issues and the idea of a right to be forgotten sounds great, but what does it mean and how would you implement that?

The most controversial change is the requirement to report data breaches within 24 hours of discovery.

The European Network and Information Security Agency (ENISA) expressed concerns about this policy changing the way organizations prioritize resources post-exploitation.

Rather than work on closing the holes and mitigating further risk to users and data, organizations will spend their time and energy on filling out reports and managing the PR fallout of the incident.

These are valid concerns. Upon discovery of a breach limiting the damage should be rule number one. 24 hours isn't even enough time to determine the extent of the damage and find out who might have been impacted.

Insurance globe image courtesy of ShutterstockENISA suggests this might be better managed by requiring organizations to have so-called "cyber insurance". An organization would be incented to improve its security to achieve lower premiums.

While the idea is good, I don't see it working out that way. To develop proper actuary tables for something like information security is nearly impossible.

What is the value of a record? How were you compromised and what resources are required to recover? Who is responsible for the mistakes that led to the information being leaked?

These questions don't even take into consideration the reckless behaviors organizations might engage in if they feel they are somewhat shielded from liability when hacked.

Unification of laws across Europe with a focus on strong privacy protections is a noble goal. This law needs a lot more work to accomplish its intent.

Hopefully there will be a healthy debate that fixes some of the oddities in the version available today.

Sorry ENISA, securing user data isn't as simple as buying an insurance policy and achieving a series of certification tick boxes. It is a process that is never finished and requires passion and hard work.

Insurance globe image courtesy of Shutterstock.

, , , , , ,

You might like

5 Responses to EU considers uniform data breach law and mandatory 'cyber' insurance

  1. Vito · 653 days ago

    Insurance is a last resort. The first line of defense in securing data is protecting it against unauthorized access in the first place. That's a technological function, and it requires innovation. The same innovative technology that detects an intrusion can identify the intruder. If any data is lost, the insurance policy covers it, and then recovers its costs from the bad guy. Doing jail time at public expense doesn't cut it. And it doesn't work. If these jerks had to pay for the damage they cause, that would be a real deterrent.

  2. Fezno Mint · 653 days ago

    The phrase "required to have insurance" epitomizes the kind of upside down mentality for which politico-bureaucratic hacks are famous. Insurance is a real government function because it protects property and is voluntary. Leave it to the pseudo-government state to turn it into a weapon, shoved down people's throat at gunpoint. Maximum irony there.

  3. Robert Wurzburg · 652 days ago

    There must be the development and enforcement of reliable standards imposed upon
    industry of all kinds, with fines and other penalties for non-compliance.
    Same thing for PCI 2.0 at the server side. The newer HTML 5.0 would be another use
    of security and user standards imposed upon government, business, and individual
    users of systems.
    Mandatory encryption of server data to minimum standards like AES 256 bit would be
    another area of forced complaince, otherwise fines imposed and Security Certificates
    would be revoked. With the speed of present and future connections and equipment
    this is not much of an issue, cost or performance-based to use as an excuse not to.
    Software can be installed to monitor compliance conditions and impose them, or be
    forced to comply by shutting websites and servers down until compliance is met and
    the standards and specifications are satisfied.

  4. newvice · 648 days ago

    nice post. happy blogging :)

  5. newvoice · 646 days ago

    The newer HTML 5.0 would be another use this is not much of an issue, cost or performance-based to use as an excuse not to.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.