ENISA Surveys Stakeholders of Upcoming EU Data Breach Notification Regime

RÉSUMÉ:

L’Agence européenne chargée de la sécurité des réseaux et de l’information (ENISA) a récemment publié un rapport sur les notifications de violations de sécurité des données dans l’Union européenne. Pour préparer ce rapport, l’agence a interrogé des autorités de protection des données, des autorités de régulation des télécoms  et des opérateurs de télécommunications provenant de divers pays de l’Union européenne, et même hors de l’UE, comme les Etats-Unis.

Le rapport permet de comprendre les pratiques et les enjeux de la future obligation de notification des violations de sécurité et vise principalement à assister les autorités publiques et les entreprises privées dans l’Union européenne à l’occasion de la mise en place de politiques concernant les violations de sécurité.

A partir des réponses données par les différents acteurs, ENISA établit les caractéristiques principales des violations de sécurité et les questions et problématiques majeures qui y sont liées. De plus, ENISA fournit aussi un ensemble de recommandations qui seront sûrement de nature à aider autorités publiques et compagnies à l’avenir.

Introduction

The European Network and Information Security Agency (or ENISA) published on January 14 a report entitled “Data breach notifications in the European Union”.

As mandatory data breach notification procedures are set to become binding throughout the European Union by May 25 of this year for all telecommunications companies providing publicly available electronic communications services, it is of growing interest for these companies and regulatory authorities to get tools and guidelines about how to manage these new requirements.

ENISA is an agency of the European Union located in Greece that was created by Regulation 460/2004/EC in 2004 and aims mainly “to achieve a high and effective level of network and information security within the European Union” in cooperation with member states, institutions and companies.

The new report is based on surveys ENISA distributed last year to various regulatory authorities (including data protection authorities) and the private sector, e.g telecommunications operators. The agency then undertook follow-up interviews with these stakeholders until June 2010 and chose to have a very practical approach of data breach notification to gather as much information as it could from them, and understand practices and challenges of future mandatory data breach notification requirements.

The report aims to assist public authorities and private organisations in the European Union and Member States as they implement data breach notification policies, especially if they do not have significant experience with these policies. It may serve as a basis of discussion for all stakeholders about how they should coordinate national procedures, how they could better cooperate and harmonize with one another under the new telecommunications regulatory framework, and as input to the European Commission.

"Grillage gelé" (Photo by "Photophilius"; shot on Dec. 13, 2008). Available at http://www.flickr.com/photos/30254220@N04/3116313871/ (Creative Commons "Attribution-NonCommercial-ShareAlike 2.0 Generic (CC BY-NC-SA 2.0)" license.)

"Grillage gelé" (Photo by "Photophilius", Dec. 13, 2008)

 

I. Context of implementation of data breach notification in the European Union

 

The legal framework of data breach notification in the European Union is included in a text (Directive 2009/136/EC of 25 November 2009 , which amends the e-Privacy Directive (2002/58/EC) voted during the adoption of the “Telecom Package”, which requires telecommunications companies and Internet service providers to notify personal data breaches to the competent data protection authority, and in certain cases to the data subject. The text has to be implemented by May 25, 2011 in all EU Member States.

The paragraphs concerning data breach notification requirements are listed here as follows:

Paragraph 3

 

“In the case of a personal data breach, the provider of publicly available electronic communications services shall, without undue delay, notify the personal data breach to the competent national authority.

 

When the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual, the provider shall also notify the subscriber or individual of the breach without undue delay.

 

Notification of a personal data breach to a subscriber or individual concerned shall not be required if the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach. Such technological protection measures shall render the data unintelligible to any person who is not authorized to access it.

 

Without prejudice to the provider’s obligation to notify subscribers and individuals concerned, if the provider has not already notified the subscriber or individual of the personal data breach, the competent national authority, having considered the likely adverse effects of the breach, may require it to do so.

 

The notification to the subscriber or individual shall at least describe the nature of the personal data breach and the contact points where more information can be obtained, and shall recommend measures to mitigate the possible adverse effects of the personal data breach. The notification to the competent national authority shall, in addition, describe the consequences of, and the measures proposed or taken by the provider to address, the personal data breach.”

Paragraph 4:

“Subject to any technical implementation measures adopted under paragraph 5, the competent national authorities may adopt guidelines and, where necessary, issue instructions concerning the circumstances in which providers are required to notify personal data breaches, the format of such notification and the manner in which the notification is to be made. They shall also be able to audit whether providers have complied with their notification obligations under this paragraph, and shall impose appropriate sanctions in the event of a failure to do so.

 

Providers shall maintain an inventory of personal data breaches comprising the facts surrounding the breach, its effects and the remedial action taken, which shall be sufficient to enable the competent national authorities to verify compliance with the provisions of paragraph 3. The inventory shall only include the information necessary for this purpose”.

 

Paragraph 5:

“In order to ensure consistency in implementation of the measures referred to in paragraphs 2, 3 and 4, the Commission may, following consultation with the European Network and Information Security Agency (ENISA), the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC and the European Data Protection Supervisor, adopt technical implementing measures concerning the circumstances, format and procedures applicable to the information and notification requirements referred to in this Article. When adopting such measures, the Commission shall involve all relevant stakeholders particularly in order to be informed of the best available technical and economic means of implementation of this Article. Those measures, designed to amend non-essential elements of this Directive by supplementing it, shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 14a(2).”

Once those articles will be transposed into national law, telecommunications companies will therefore be required to notify data breaches.

 

Some countries, however, already have in their national law, a requirement to notify data breaches, such as Germany, the United Kingdom – where it is limited to public sector organizations. For private ones in the UK, the Information Commissioner Office only encourages notification. In Spain, a Royal Decree (No. 1720/2007), which approves the regulation implementing Organic Law 15/1999, states that data controllers, as part of their security policy, shall draw up a security document containing, among other aspects, provisions related to a procedure of notification, management and response to incidents. Moreover, article 90 of the Royal Decree states that “[t]here shall be a procedure for notification and management of incidents that affect personal data and a register established for recording the type of incident, the moment it occurred or, if appropriate, was detected, the person making the notification, to whom it was communicated, the effect arising from it and the corrective measures applied.”

To prepare its report, ENISA has studied the principal stakeholders’ practices and gathered information on their concerns and challenges. This information should help one to understand what could be for regulatory authorities and private sector companies the main difficulties when interpreting and applying data breach notification regimes. The survey covers stakeholders from Europe as well as some from non-EU countries, such as Turkey, Norway and the United States.

II. An outlook on stakeholders

A. Data protection authorities

ENISA’s survey on data protection authorities has served to get important information on the different ways the notification of data breaches is conceived in Europe and the key issues EU Member States must deal with in the following months.  In the case of data protection authorities, a majority of them supports mandatory notifications for telecoms operators.  They also have budgetary concerns: that additional duties due to the new notification obligation interfere with pre-existing responsibilities.

Definition of “data breach” and criteria

The different authorities surveyed referred consistently to Directive 95/46/EC as the basis for their respective countries’ definitions for personal data and data subjects.

Article 2 (a) of Directive 95/46/EC:

 

“ ‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”

 

With respect to the definition of “data breach”, it varies from country to country. However, despite a broad range of definitions and criteria, some data breaches can be identified:

  • Loss of IT equipment: misplaced or stolen equipment – laptops, USB sticks, etc.
  • Mailing: distribution of a letter in the mail or an email to an incorrect address that includes personal data.
  • Improper disposal of documents: leaving personal data in documents deposited in a garbage bin that can be accessed by the public.
  • Hacking: malicious attacks on computer networks.
  • Technical error: unforeseen complication in an IT system exposing data to outside parties.
  • Theft: data in the form of documents, electronically stored data, etc. that is stolen.
  • Unauthorised access: employees taking advantage of vulnerabilities to access personal data of customers stored in files or electronically.
  • Unauthorised distribution: distributing personal data on P2P file-sharing networks.

It is accepted that in order for procedures to be effective, the decision to notify a breach should be based on the risks it could create. The report points out that:

“[T]here is a view that decisions should be risk-based. In other words, if there is no real risk to the data subjects, a notification would be redundant. For example, if the data breached was encrypted, it is not likely that the information could be exploited in any way”.

Be that as is may, not only quantitative indicators must be used to make the decisions (based on the number of persons concerned), but also qualitative indicators, for example whether sensitive data are concerned by the breach.

Link to ENISA's report

Notification procedure

Few regulatory authorities have formal procedural guidelines, as notifications are not yet mandatory in most EU countries. Nevertheless, the report lists some of its main features:

  • The decision to issue a notification can be made either by the data controller itself, or be based upon a directive from the regulatory authority;
  • Notification can happen in a number of ways: most data protection authorities considered sufficient a phone call and an email, the mean of notification being principally decided on a case-by-case basis;
  • It is, however, important that the notification include (i) a description of the nature of the breach, (ii) the number of people affected, and (iii) what is being done to contain the breach;
  • Most authorities agree on real transparency about how data controllers notify data subjects of a breach (letters by regular mail, emails, etc.);
  • The notion of “undue delay” is interpreted in different ways. There is a need for a clear deadline by which to notify a breach.

Compliance

To better enforce compliance, data protection authorities more frequently use monetary penalties. Negative publicity in the media and the use of black lists are also considered an effective tool.

ENISA’s recommendations

 

In the wake of a mandatory data breach notification regime, ENISA gives data protection authorities some recommendations:

  • they should offer data controllers the possibility of an early stage trial period to notify the authority a large number of data breaches as they learn to define and prioritise them;
  • they should establish guidelines explaining how to report breaches to the authority and data subjects as to notification means and its content;
  • they should also consider various deterrence measures, from fines to media exposure of serious offenders, but also issue awards and praise the work of data controllers that comply with the law.

B. Private sector

When asked about their opinion on data breach notification regimes, telecommunications operators “overwhelmingly agreed that it was in their best interests to secure private data belonging to their customers”.

Background

  • 64 % of telecommunications operators indicated that they are notifying both regulatory authorities and data subjects of breaches and, in some cases, risks of breaches.
  • Most respondents among telecommunications operators had begun issuing notifications within the past 1-5 years.
  • 44 % of the operators had an individual identified as a data protection officer or data ombudsman, or a division set up specifically to handle data protection and privacy.

Definitions and criteria

  • The operators that answered ENISA’s survey agreed on the same definition of “personal data” corresponding to article 2 a) of Directive 95/46/EC.
  • Definition of “breach”: ENISA notes that operators “are also applying consistent criteria for defining what counts as a breach. Survey respondents mentioned “unauthorised access to personal data” as a key factor to define a breach. Some operators indicated the “risk of a breach”, or “compromise of personal data” was sufficient to classify an event as a breach.
  • Factors taken into consideration can include:
    • the number of data subjects at risk;
    • the quantity of data at risk;
    • the age of data;
    • the nature of the breach, i.e. technical, human error, or theft.

Procedure of notification

  • Some operators from countries where the notification is already mandatory have indicated that they were given guidelines for the information that should be communicated to them in the case of a data breach.
  • As it is not yet mandatory, notification is not systematic for the telecommunications operators surveyed but is determined on a case by case basis. Nevertheless, they generally agree that notifying a breach to data subjects can help mitigate the potential negative effects for their customers.
  • Elements commonly notified include:
    • an explanation of the type of data breached, e.g. bank account details and addresses;
    • details on when the breach occurred;
    • recommended steps to mitigate the impact of the breach, e.g. instructions on how to change passwords and usernames;
    • explanation of what the operator is doing in order to improve customer data security and prevent similar incidents in the future.
  • The operators have indicated that a too strict deadline could reduce the effectiveness of the notification procedure and their ability to solve the problem encountered.
  • Most operators ENISA surveyed are interested in a real cooperation with regulatory authorities and in getting guidelines from them.

Recommendations from ENISA

  • “Service providers should allocate legal, marketing and technical resources to oversee data breach notification procedures, with direct access to board level decision makers who can oversee decisions to issue notifications in serious cases.
  • Operators will have to invest in updating their contact records for customers, ensuring that information is current and accurate. This will avoid missed notifications or notifications being issued to the wrong data subject.
  • Operators should prepare a list of examples of potential incidences that do not clearly fit into legislation, and seek guidance in advance from [data protection] authorities in order to avoid any future confusion”.
Conclusion

ENISA’s report provides operators and the various national data protection authorities a global view of the existing practices that could be used for the future application of mandatory data breach notification regimes.

Indeed, as all EU Member States must implement such regime within a few months (late May 2011), it will prove useful for stakeholders to already prepare guidelines that establish management practices compliant with the main features of what an EU-wide data breach notification regime would look like.

Right now, it is quite difficult to clearly identify what would be the ideal data breach notification policy to apply. The first experiences will certainly be very instructive to develop guidelines and good practices based on real cases.

At any rate, ENISA already provides us with useful examples of practices in Europe, helping the stakeholders in their study of the question:

  • The risks should be clearly identified.
  • Breaches should be evaluated and prioritised before notifying it to data protection authorities and data subjects.
  • The means of notifications should be specifically decided by the operators and used without undue delay.
  • Regulatory authorities should strengthen compliance.
  • Private operators and data protection authorities should usefully cooperate to enforce the security through this new procedure.

In the future, the data breach notification requirement will most probably be extended to other sectors, for example to the healthcare and financial sectors, and is being promoted by many actors at EU institutions, like by the European Data Protection Supervisor. Analysing how the telecommunication sector will apply this obligation will prove of real interest in the near future.

Farid Bouguettaya and Cédric Laurant

Reference documents:

ENISA report: Data breach notification in the EU (January 13, 2011)

Directive 2009/136/EC of the European Parliament of the Council of 25 November 2009

Directive 2002/58/EC (also called “e-Privacy Directive”)

Directive 95/46/EC (Data Protection Directive)

Share

Advertisements
Comments
3 Responses to “ENISA Surveys Stakeholders of Upcoming EU Data Breach Notification Regime”
  1. Rick says:

    Hi

    Great Blog, I love this stuff.

Trackbacks
Check out what others are saying...
  1. […] on privacy and electronic communications 2002/58/EC in Directive 2009/136/EC (more details in earlier posts in this blog) that applies to telecommunications companies and Internet service providers. Then, in […]

  2. […] on privacy and electronic communications 2002/58/EC in Directive 2009/136/EC (more details in earlier posts in this blog) that applies to telecommunications companies and Internet service providers. Then, in […]



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

  • Blog authors

  • Copyright notice

    © Copyright 2010-2014 "Information Security Breaches & The Law".
    All rights reserved, unless noted otherwise under each author's post, page or other material.
    If you would like to discuss licensing terms, contact us at: info [at] security-breaches [dot] com.

  • Enter your e-mail address here to follow this blog and receive notifications of new posts by e-mail.

  • The “Global Information Security Breach Professionals” Group on Linkedin

  • Wordpress Blog Stats

    • 42,252 hits
%d bloggers like this: