EU privacy chief wants data breach law for business

The privacy watchdog for EU institutions has called for a planned requirement for telecoms companies to publish details of information security breaches to be extended to banks, businesses and medical bodies.

The European Commission has proposed a data breach notification law which would force telecoms companies to tell customers when personal information had been lost. The requirement was among other proposed changes to the Privacy and Electronic Communications Directive published last autumn.

The European Data Protection Supervisor (EDPS) has said that if the proposal is designed to help prevent identity theft it must be extended to include banks, businesses and others.

"While the EDPS is pleased with the security breach notification system … he would have favoured their application at a wider scale to include providers of information society services," said the EDPS's response. "This would mean that online banks, online businesses, online providers of health services etc would also be covered by the law."

EDPS Peter Hustinx said that the extension makes logical sense.

"The reasons that justify imposing the security breach notification upon providers of public electronic communication services also exist regarding other organisations which also process massive amounts of personal data, the disclosure of which may be particularly harmful to data subjects," said his response.

"The compromise of information held by online banks and online business which may include not only bank account numbers but also credit card details may trigger identity theft, in which case it is essential for individuals to be made aware in order to take the necessary measures," said the EDPS.The EDPS's formal opinion on the proposals outlined what it saw as the benefits of data breach notification laws.

"When data breaches occur, notification has clear benefits, it reinforces the accountability of organisations, is a factor that drives companies to implement stringent security measures and it permits the identification of the most reliable technologies towards protecting information," it said. "Furthermore, it allows the affected individuals the opportunity to take steps to protect themselves from identify theft or other misuse of their personal information."

Controversy surrounds plans for data breach notification laws because they are opposed not only by many businesses but also by some privacy and data protection experts. Some experts argue that a constant stream of data breach announcements might make the public blasé about the threats posed by mistakes.

The EDPS countered those arguments in its response to the Commission's proposals. "The existence of a security breach notification has proved to be a factor that drives security investment at organisations that process personal data," it said. "Indeed, the simple fact of having to publicly notify security breaches causes organisations to implement stronger security standards that protect personal information and prevent breaches."

"The notification of security breaches makes individuals aware of the risks they face when their personal data are compromised and helps them to take the necessary measures to mitigate such risks. For example, if bank details have been compromised, the individual who is informed may decide to change his/her access details to his/her bank account to prevent someone from taking this information and using it for an unlawful purpose," it said.

"The proposed amendments to the Directive are not as ambitious as they should be. In dealing with new issues, such as the setting up of a mandatory security breach notification system, the proposal remains too restrictive in its scope," said Hustinx.

Hustinx backed other proposals for reforming the Privacy and Electronic Communications Directive contained in the Commission's proposal. These included an extension to the current requirement for notification of cookies.

At present the law requires notification when there is access to information or storage of information in users' computers carried out via electronic communication networks. That means that spyware introduced by disc escapes the law, though it may fall foul of other laws.

The proposal would extend the notification requirement to cover storage of information on users' computers via media such as CD or USB storage devices. The proposal also clarifies and extends the right to sue spammers.