Europeans Will Now Know When And What Data Gets Compromised In A Breach — Unless It Was Encrypted

In the wake of the latest notice from a major internet company revealing that user data has been compromised — Facebook’s admission of a security bug compromising data from 6 million users — the European Commission today is publishing new, Europe-wide rules that will require ISPs, carriers, broadband providers and others to report to both national regulators and to subscribers more specific detail about what has been compromised within 24 hours of the breach.

But it’s also throwing them a couple of bones. First, to get companies to invest a bit more in security, if they implement approved encryption techniques, then providers do not have to notify the subscriber if they have implemented the appropriate protection measures (although they still have to notify the national authority). Second, the EC is not requiring ISPs and others to report all breach details to subscribers; it merely gives them more specific criteria to help assess when they should.

There is another question mark here: how these rules affect companies who are not ISPs but are still retaining vital customer information. We are reaching out to the EC to ask how, for example, sites like Facebook, Twitter or Evernote — all of whom have released statements on breaches and leaked information in the last several months — would be impacted by the rules.

(Update: Still waiting to hear back on the impact to internet companies but in the meantime, the EC has sent me some other details. It turns out that governments will be exempt in these rules. “The measures apply only to telecoms providers and ISPS,” a spokesperson told me. “The ePrivacy Directive itself has a general exemption for justified national security reasons, and government requests for access to personal information must be court-approved.”

Update 2: Facebook, Google and others are not covered by the ePrivacy Directive, and therefore not by today’s news, according to the spokesperson. They are, however, covered by the Data Protection Directive, which affects all controllers of data, and may end up getting rolled into the same requirements as a result of that. “The Commission also proposes to update that wider data protection directive,” he says. “But we don’t know what the outcome of those reform negotiations yet. If the Commission proposal stayed in its original form, then yes Facebook, Google, etc. would then have the same obligations as outlined today to telecoms companies.” Obviously any further substantive questions on this particular issue, the spokesperson adds, should be directed to Viviane Reding’s office; she is the VP of the EC in charge of justice.)

The background to this: the EC points out that they have had specific data reporting rules in place since 2011 — you can read them here. These cover such details as name, address and bank account details and information about phone calls and websites visited. The issue is that these rules fall under a “general obligation” that have not been clear on timescales and specific requirements.

The new rules released today cover four main areas:

  • National authorities will now need to be informed within 24 hours of a breach getting detected. “If full disclosure is not possible within that period,” the EC writes, “they should provide an initial set of information within 24 hours, with the rest to follow within three days.
  • Companies will now need to specify which pieces of information are affected and what measures have been or will be applied by the company.
  • Companies are also getting provided more specific criteria to use to decide whether to inform users. “In assessing whether to notify subscribers (i.e. by applying the test of whether the breach is likely to adversely affect personal data or privacy), companies should pay attention to the type of data compromised, particularly, in the context of the telecoms sector, financial information, location data, internet log files, web browsing histories, e-mail data, and itemised call lists.” Annoyingly, this means that the EC is stopping short of requiring companies to always inform users.
  • And, because this is a bureaucracy we’re talking about the EC will now create a standardised format (“for example an online form that is the same in all EU Member States”) that companies will use to notify authorities.

Along with not requiring companies to disclose all data breach information to users, the EC is giving them one more exit from reporting: if they invest in appropriate encryption, they would be “exempt from the burden of having to notify the subscriber.” This is because encryption techniques “would render the data unintelligible to any person not authorised to see it.” The EC says it will be working with ENISA, the European information technology security agency, to publish a list of approved encryption techniques.

These rules are set to come into force in the next two months, and whether or not you think they will add more confidence in companies, the EC sees them as getting closer to a fully disclosed and fair system:

“Consumers need to know when their personal data has been compromised, so that they can take remedial action if needed, and businesses need simplicity. These new practical measures provide that level playing field,” European Commission Vice-President Neelie Kroes said in a statement.

These rules will be separate from two other major developments on how companies can use IT data and implement security: a proposed revision of EU legal framework for data protection and a new proposal for a Directive on network and information security.