Enisa: Telecoms companies are wary of data breach law

Enisa: Telecoms companies are wary of data breach law

Summary: The Europe-wide security agency has said that companies are worried about a new law that would compel them to inform their customers when a data breach has occurred

TOPICS: Security

Telecoms providers and data-protection authorities are worried by the potential fallout of an upcoming European data-breach notification law, according to the European Network Information Security Agency.

Read this

Hospital trust reports data breach to 1,500 patients

The Calderdale and Huddersfield foundation trust has contacted patients after the theft of a computer from a locked office, which contained personal details

Read more+

Enisa, the EU's information security policy adviser, outlined its concerns in a report on the effects of the E-Privacy Directive issued on Friday. The study is designed to provide guidance to telecommunication providers as they prepare for the law, which forces companies to inform customers about data breaches.

"Gaining and maintaining the trust and buy-in of citizens that their data is secure and protected represents a potential risk to the future development and take-up of innovative technologies and higher value-added online services across Europe, and will be a key challenge for organisations," said the report.

Under the E-Privacy Directive, from March telecoms companies must publicise data breaches. In addition, the banking, healthcare and small business sectors are being considered for inclusion in data-breach notification law by the European Commission.

The study found that electronic communications companies are concerned about the damage that breach notification could do to their brands. They also wanted guidance on how to prioritise breaches according to severity and advice on categorising types of data.

For their part, data-protection regulators are worried about having sufficient resources to cope with notification, a lack of sanctions, a lack of technical expertise, and how to raise data-protection awareness, according to Enisa.

Public confidence
The ePrivacy Directive gives businesses a legal impetus to guard against data breaches, in addition to the reputational impetus, according to the EU body. High-profile incidents of data loss and exposure have shaken public confidence in organisations' abilities to keep personal data safe, it said.

Read this

NHS top culprit as UK data breaches exceed 1,000

NHS has generated more data breaches than the entire private sector, and there are stricter rules on the way, according to the Information Commissioner's Office

Read more+

"Every day there seems to be headlines that personal data has been leaked, that someone has found a laptop on a train," Enisa data-breach expert Sławomir Górniak told ZDNet UK.

Organisations must gain public trust that personal data will not be divulged, otherwise they risk hindering the take-up of innovative technologies, according to Enisa. Measures such as encryption can mitigate the risk, said Górniak. "If you lose a laptop, and it's encrypted, and you have the keys, then this is not a data breach," he said.

In the UK, the data-protection regulator is the Information Commissioner's Office (ICO). The regulator has the power to fine organisations for breaching data-protection laws, but did not fine Google over its Street View collection of personal data. In November, the ICO levied its first fines, against Hertfordshire County Council and employment services company A4e.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to start the discussion