Back in January the European Commission proposed an update to the data protection laws in the EU with the goal of unifying data breach notifications and clarifying their application throughout Europe.
There was a lot on the table, including defining which countries have jurisdiction for multinational organizations, rules for European companies performing data processing outside of the EU and hefty penalties for non-compliance.
Some of the more important things for individuals include a “right to be forgetten” provision and a clear definition that consent means people must opt-in, not opt-out. It would also eliminate the fees for getting access to the data a company is storing about you.
Naked Security is a big supporter of opt-in policies with regard to privacy issues and the idea of a right to be forgotten sounds great, but what does it mean and how would you implement that?
The most controversial change is the requirement to report data breaches within 24 hours of discovery.
The European Network and Information Security Agency (ENISA) expressed concerns about this policy changing the way organizations prioritize resources post-exploitation.
Rather than work on closing the holes and mitigating further risk to users and data, organizations will spend their time and energy on filling out reports and managing the PR fallout of the incident.
These are valid concerns. Upon discovery of a breach limiting the damage should be rule number one. 24 hours isn’t even enough time to determine the extent of the damage and find out who might have been impacted.
ENISA suggests this might be better managed by requiring organizations to have so-called “cyber insurance”. An organization would be incented to improve its security to achieve lower premiums.
While the idea is good, I don’t see it working out that way. To develop proper actuary tables for something like information security is nearly impossible.
What is the value of a record? How were you compromised and what resources are required to recover? Who is responsible for the mistakes that led to the information being leaked?
These questions don’t even take into consideration the reckless behaviors organizations might engage in if they feel they are somewhat shielded from liability when hacked.
Unification of laws across Europe with a focus on strong privacy protections is a noble goal. This law needs a lot more work to accomplish its intent.
Hopefully there will be a healthy debate that fixes some of the oddities in the version available today.
Sorry ENISA, securing user data isn’t as simple as buying an insurance policy and achieving a series of certification tick boxes. It is a process that is never finished and requires passion and hard work.
Insurance globe image courtesy of Shutterstock.