Facebook may or may not have pulled the equivalent of mumbling under its breath when it disclosed its recent data breach – after all, slipping out notice on a Friday ensures most people have gone from their desks for the weekend and may not read about it for at least a couple of days.
But new rules published on Monday by the European Commission would ensure that data breaches like that get disclosed within 24 hours of the breach – a move that could bar slip-it-under-the-radar disclosure timing.
At least, the new rules would do that if, in fact, they pertain to companies that aren’t telecoms or ISPs but who still hold vast stores of customer data.
The new, Europe-wide rules require that ISPs and telecoms report a data breach to national regulators within 24 hours of the breach, and that they cough up specific detail about what type of data has been compromised, if at all possible, within that same time frame.
When TechCrunch asked about companies such as Facebook, Google et al., the EC said that such data-chugging behemoths are not covered by the new ePrivacy Directive but are in fact covered by the Data Protection Directive, which covers all data controllers.
Still, such companies might yet get rolled into the same requirements. Here’s what an EC spokesperson told TechCrunch’s Ingrid Lunden:
“The Commission also proposes to update that wider data protection directive. But we don’t know what the outcome of those reform negotiations yet. If the Commission proposal stayed in its original form, then yes Facebook, Google, etc. would then have the same obligations as outlined today to telecoms companies.”
One sector that’s most assuredly and most unsurprisingly exempt from the new rules: government.
From the EC spokesperson:
“The ePrivacy Directive itself has a general exemption for justified national security reasons, and government requests for access to personal information must be court-approved.”
Outside of being a government, companies can also get out of the new disclosure rules by investing in security.
Specifically, the EC is encouraging companies to adopt approved encryption, which would remove the customer-notification requirement for those who’ve implemented protection.
Companies do still have to notify the national authority of the breach, however.
The EC isn’t, technically, requiring that ISPs and others report all the breach details to their subscribers. What it’s giving is merely criteria to help assess when they should do so.
Companies should take into account the type of data compromised when they determine whether to notify subscribers, the EC said.
That pertains particularly for telecoms, with their stores of financial information, location data, internet log files, web browsing histories, e-mail data, and itemised call lists.
Here’s the list of what companies are now expected to do, from the EC’s notice:
- Inform the competent national authority of the incident within 24 hours after detection of the breach, in order to maximise its confinement. If full disclosure is not possible within that period, they should provide an initial set of information within 24 hours, with the rest to follow within three days.
- Outline which pieces of information are affected and what measures have been or will be applied by the company.
- In assessing whether to notify subscribers (i.e. by applying the test of whether the breach is likely to adversely affect personal data or privacy), companies should pay attention to the type of data compromised, particularly, in the context of the telecoms sector, financial information, location data, internet log files, web browsing histories, e-mail data, and itemised call lists.
- Make use of a standardised format (for example an online form that is the same in all EU Member States) for notifying the competent national authority.
The EC is giving companies plenty of leeway, apparently, in whether or not they disclose breaches to customers.
It’s also letting companies off the hook for notifying subscribers if they invest in appropriate encryption.
Google itself posted an article in December 2011 by Catherine Tucker, Douglas Drane Career Development Professor in IT and Management and Associate Professor of Marketing at MIT Sloan School of Management, titled, plainly enough, “Protecting personal data through encryption is not enough.”
Tucker writes that, at least in hospital settings, encryption implementation actually increases data-handling sloppiness:
Surprisingly, we find empirical evidence that when hospitals adopt encryption software, it does not reduce instances of publicized data loss. Instead, adopting encryption software makes publicized data losses more likely, particularly instances of data loss due to negligence or internal fraud. The result is a moral hazard: firms using encryption software are more careless about controlling internal access to encrypted data and their employees are more careless about computer equipment containing encrypted data. Losing a computer with encrypted data might matter a lot, especially since employees often keep the key with the encrypted data or lose the password, compromising the encryption.
Perhaps the EC should rethink all the outs it’s giving companies when it comes to notifying subscribers of data breaches.
As Tucker makes clear, just because you’re using data encryption doesn’t mean you can’t fumble.
Users deserve to know about that fumbling.