Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Wednesday, 8 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

EU proposing 72 hour data breach notification

by The Gurus
November 10, 2014
in Editor's News
Share on FacebookShare on Twitter

The 24 hour breach notification section of the proposed data protection directive is likely to be pushed back to 72 hours.
 
According to first reading document on the “Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data”, 72 hours is the time that a breach should be reported.
 
The document states: “As soon as the controller becomes aware that a personal data breach which may result in physical, material or moral damage has occurred the controller should notify the breach to the supervisory authority without undue delay and, where feasible, within 72 hours.”
 
Warning of the danger a data breach could cause a person, where this cannot be achieved within 72 hours, an explanation of the reasons for the delay should accompany the notification, it stated.
 
“The individuals whose rights and freedoms could be severely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions,” it said. “The notification should describe the nature of the personal data breach as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities).”
 
Speaking to IT Security Guru, Eduardo Ustaran, partner at Hogan Lovells International confirmed that the proposed change from 24 hours to 72 hours is coming from the Council of the EU, which represents the EU Member States.
 
He said: “The member states’ Governments seem to have been receptive to the calls from both industry and data protection authorities to extend the deadline for data breach notification.  A three-day timeframe is obviously more realistic and in line with what may happen in practice, but in some cases, it may even be too short.
 
André Bywater, principal adviser for European Regulatory at Cordery, said that his understanding was that the current EU Council (the 28 EU Member States sitting together) thinking about this was that where there has been a personal data breach which is likely to result in a high risk for the rights and freedoms of individuals, in particular: discrimination, identity theft, fraud, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage, the data controller must notify the personal data breach to the data protection regulator not later than 72 hours after having become aware of it.
 
“This notification has to be accompanied by a reasoned justification in cases where it is not made within 72 hours,” he said.
 
“The language being used here suggests that that there will be some discretion on the part of the data controller making the notification as regards determining whether there is a high risk of the nature indicated, but I wonder if in reality there will be much room for manoeuvre. There is apparently also debate within the EU Council about whether the word ‘high’ should appear the word ‘risk’ or not – this is not a question of semantics but a question of alignment with the EU Privacy Directive
regime.”
 
He understood it to be in the overall final proposal by the Council concerning its proposed amendments to the EU Data Protection Regulation, but he believed that some EU Member States have reservations about this, so it might not end up in the final Council proposal, or it may end up in a modified form.
 
Jonathan Armstrong, partner at Cordery, said that in the USA, some states have an even longer timescale for reporting and the clock is not running until law enforcement have given the OK.
 
“Some US states for example have 45 days after law enforcement have left the scene,” he said. “My worry is that short notice periods give criminals the upper hand, in other words they know within days whether the exploit has been successful and sometimes the report will be more detailed on what they have than they may know.”
 
Ustaran said that the EU Council is also trying to narrow down the situations where the reporting obligation applies by excluding cases where encrypted data is compromised, or where the risk for the individuals of suffering some kind of loss is not high.
 
“I think these changes are quite likely to be accepted so compliance with this obligation will become a constant balancing exercise about whether to notify or not.  To be honest, that is what happens today already,” he said.

FacebookTweetLinkedIn
Tags: Compliancedata breachData ProtectionLegalNotificationRegulation
ShareTweetShare
Previous Post

Only 27 dark web sites taken down, as Tor Project issue surprise at news

Next Post

Tor concerns on the 27 Dark Web taken down

Recent News

Cato Networks delivers first CASB for instant visibility and control of cloud application data risk

Cato SASE Cloud Named “Leader” and “Outperformer” in GigaOm Radar Report for SD-WAN

February 7, 2023
AT&T Cybersecurity grows SASE offering by adding Palo Alto Networks

UK second most targeted nation behind America for Ransomware

February 7, 2023
safe

Will Emphasising App Security Lead to More App Installs?

February 6, 2023
Phone with app store open

$400,000 Fine for Stalkerware App Developer

February 6, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information