Enisa: Telecoms companies are wary of data breach law

The Europe-wide security agency has said that companies are worried about a new law that would compel them to inform their customers when a data breach has occurred

Telecoms providers and data-protection authorities are worried by the potential fallout of an upcoming European data-breach notification law, according to the European Network Information Security Agency.

Enisa, the EU's information security policy adviser, outlined its concerns in a report on the effects of the E-Privacy Directive issued on Friday. The study is designed to provide guidance to telecommunication providers as they prepare for the law, which forces companies to inform customers about data breaches.

"Gaining and maintaining the trust and buy-in of citizens that their data is secure and protected represents a potential risk to the future development and take-up of innovative technologies and higher value-added online services across Europe, and will be a key challenge for organisations," said the report.

Under the E-Privacy Directive, from March telecoms companies must publicise data breaches. In addition, the banking, healthcare and small business sectors are being considered for inclusion in data-breach notification law by the European Commission.

The study found that electronic communications companies are concerned about the damage that breach notification could do to their brands. They also wanted guidance on how to prioritise breaches according to severity and advice on categorising types of data.

For their part, data-protection regulators are worried about having sufficient resources to cope with notification, a lack of sanctions, a lack of technical expertise, and how to raise data-protection awareness, according to Enisa.

Public confidence
The ePrivacy Directive gives businesses a legal impetus to guard against data breaches, in addition to the reputational impetus, according to the EU body. High-profile incidents of data loss and exposure have shaken public confidence in organisations' abilities to keep personal data safe, it said.

"Every day there seems to be headlines that personal data has been leaked, that someone has found a laptop on a train," Enisa data-breach expert Sławomir Górniak told ZDNet UK.

Organisations must gain public trust that personal data will not be divulged, otherwise they risk hindering the take-up of innovative technologies, according to Enisa. Measures such as encryption can mitigate the risk, said Górniak. "If you lose a laptop, and it's encrypted, and you have the keys, then this is not a data breach," he said.

In the UK, the data-protection regulator is the Information Commissioner's Office (ICO). The regulator has the power to fine organisations for breaching data-protection laws, but did not fine Google over its Street View collection of personal data. In November, the ICO levied its first fines, against Hertfordshire County Council and employment services company A4e.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.