Privacy Advisor

New Law Could Require ‘Incident’ Reporting, Whether Data Is Compromised or Not

January 28, 2014

By Jennifer Baker, EU Correspondent

While many privacy professionals have their eyes firmly fixed on the EU’s ongoing data protection overhaul, a second law is also in the works that could have an equally big impact.

In February last year, the European Commission put forward its cybersecurity strategy, the main cornerstone of which is a Network and Information Security (NIS) Directive. The proposed Data Protection Regulation, currently being examined by the European Parliament, only covers security incidents where personal data is compromised. Therefore cyber attacks that do not target data would not need to be reported.

The NIS Directive would change that.

Who Should Be Concerned? Everyone

Under the NIS Directive, so-called “enablers of information society services” as well as companies that own, operate or provide technology for critical infrastructure facilities, would be required to report any security breach that "significantly affects the continuity of critical services and supply of goods" to a national authority.

This differs significantly from the U.S. approach, which focuses almost entirely on critical infrastructure. By extending the rules to include key Internet companies (those "information service providers"), the EU rules would apply to a vastly greater number of businesses.

Telecom companies are already required to report significant security incidents. The new directive would extend that to companies such as PayPal, Google, Amazon, eBay and Skype; other major Internet companies such as large cloud providers, social networks, e­commerce platforms and search engines; the banking sector, and those companies that provide goods or services to such owners, operators or vendors.

According to the commission, 93 percent of large corporations experienced a cyber attack in 2012, making it a commonplace occurrence. Yet nearly three quarters of 160 respondents to an online commission consultation said that the requirement to report cyber incidents would not incur any additional costs, and more than two thirds said that implementing a state-of-the-art NIS risk management system would not result in increased costs.

Consequences

It will be up to member states how they write the directive into national law, so sanctions for failing to report an incident will vary from country to country. However, Article 15 stipulates that member states must investigate all cases of noncompliance.

They must also appoint a competent authority with the power to carry out security audits and to require market operators and public administrations to provide network security information. The draft directive text also requires "effective, proportionate and dissuasive" sanctions for noncompliance.

Once an “incident” has been reported to a national authority, it shall be required to designate a contact agency that is responsible for sharing information about cyber threats with other countries as well as the ENISA. This authority "may require that the public be informed," but a public announcement will not be mandatory.

Timeframe

The directive is currently being debated by the European Parliament and various amendments have already been suggested.

French MEP Marie-Christine Vergiat has suggested that the standard of protection required of organizations should differ based on the extent of damage that could be caused in the event of a breach of the protections put in place by each organization.

Another proposal is to delay the implementation of the NIS Directive until after the new Data Protection Regulation is finalized.

Further changes to the text are likely. As it stands, however, EU member states would have 18 months to write it into their national legislation, although there have been proposals in the European Parliament to shorten this to 12 months.

The Data Protection Regulation may be garnering everyone’s attention at the moment, but in reality the Cybersecurity Directive could have far more wide-reaching reporting requirements.

To whom in the organization would these reporting requirements fall? It could be the IT team or it could be the same compliance team now tasked with privacy considerations. Regardless, organizations would be wise to figure out responsibilities now in anticipation of not one, but two significant pieces of legislation making their way toward becoming law.

Jennifer Baker is a full-time journalist working out of Brussels for the likes of IDG News Service (Computerworld, PCWorld), European Voice, NewEurope and now for the IAPP. She covers IT and privacy policy developments. Find her on Twitter at @BrusselsGeek.