Data security breach notification: it's coming your way!
Data breach notification laws have existed in the US for several years. California was the first state to introduce a data breach notification law in 2002, followed soon after by forty-five other US states. In 2012, the US Senate introduced a Data Security and Breach Notification Act which, if enacted, would establish a national data security and beach notification standard for the protection of consumer's electronic personal information across the US.
In Europe, data breach notification has only drawn attention at a political and legislative level following recent press coverage of data breach scandals. Nevertheless, the numerous debates, initiatives and legislative proposals that have appeared in recent months are evidence of Europe's growing interest in this topic, and recognition of the need to regulate. As an example, the EU Commission's Directorate General for Communications Network, Content and Technology (DG CONNECT) recently proposed to "explore the extension of security breach notification provisions, as part of the modernisation of the EU personal data protection regulatory framework" in its Digital Agenda for Europe (action 34).
From a legislative perspective, things have been moving forward rather steadily for several years. In 2009, the European legislator adopted a pan-European data breach notification requirement for the first time, under the amended ePrivacy directive 2002/58/EC ("ePrivacy directive"). True, the directive only applies to "providers of publicly available electronic communications services" (mainly telecom operators and ISPs), but in a limited number of EU Member States the ePrivacy directive was implemented with a much broader scope (e.g., Germany). In June 2013, the European Commission released a new regulation explaining the technical implementing measures for data breach notification by telecom operators and ISPs.
Following this first legislative step, the European Commission has recently made two further legislative proposals. The first, which has drawn the most attention, was the European Commission's proposal of a new regulation to replace the current Data Protection Directive 95/46/EC. If adopted, this Regulation would introduce a general obligation for all data controllers, across business sectors, to notify the regulator in case of a breach without undue delay, and not later than 24 hours after having become aware of it. Companies would also have to report data breaches that could adversely affect individuals without undue delay. This Regulation would apply not only to organizations that are established on the territory of the EU, but also to those that are not established within the EU, but target EU citizens either by offering them goods and services, or by monitoring their behaviour.
Needless to say, in Brussels, stakeholders and lobbyists have been actively campaigning against the proposed data breach provisions for months on the grounds that they are unfriendly to business, cumbersome and impractical. Following the debates at the European Parliament and the Council of Ministers on the proposed Regulation, a less prescriptive, more business-friendly version of the data breach provisions may end up being adopted. Currently, discussions are ongoing in an attempt to limit the scope of the data breach requirements to breaches that are "likely to severely affect the rights and freedoms of individuals". The deadline for reporting breaches could also be extended to 72 hours. At this point, it is impossible to predict with certainty what will be the final wording of those provisions. However, there does seem to be a consensus among the EU institutions and member states that, one way or another, a data breach notification requirement must be introduced in the Regulation.
Secondly, the European Commission has proposed a directive that aims to impose new measures to ensure a high common level of network and information security across the EU. The Directive concerns public administrations and market operators, namely "providers of information society services" (i.e., e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services, application stores) and "operators of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health." The Directive would require them to report significant cyber incidents (e.g., an electricity outage, the unavailability of an online booking engine, or the compromise of air traffic control due to an outage or a cyber attack) to a national competent authority.
So what does this tell companies?
First, that data security in general and data breach notification in particular are drawing more and more attention, and thus cannot be ignored. As was the case a few years ago in the US, data breach notification is bound to become one of the hottest legal issues in Europe in the coming years. The legal framework for data breach notification may still be a work-in-progress, but nevertheless it is becoming a reality in Europe. Second, companies should not wait until data breach laws come into force in Europe to start implementing an action plan for handling data breaches. While data breach notification may not yet be a legal requirement for all companies in Europe, the reputational damage caused by a single data breach should motivate companies to implement robust data breach handling procedures. Finally, data breach notification can be viewed as a competitive advantage that enables companies to be more forthcoming and transparent vis-à-vis clients and customers who entrust them with their personal data.
For more information on data security breach notification rules in France, view my article in English: "Complying with Data Breach Requirements in France" (first published in BNA's World Data Protection Report); and in French: "La notification des violations de données à caractère personnel: analyse et décryptage" (first published in Lamy Droit de l'Immatériel) .