It’s interesting to me that the European Union’s European Commission is considering some standard rules for breach notification. These rules would govern how companies make notification to stakeholders, and also govern their behavior throughout breach fallouts.
These “practical rules,” are being crafted from solicited input from the public, and also from national data protection authorities, as well as from consumer protection organizations. In the wake of several high-profile breaches, it’s an understandable consideration (see several of my prior posts regarding breaches).
As stated by Neelie Kroes, the EU’s digital agenda commissioner, “The duty to notify of data breaches is an important part of the new EU telecoms rules. But we need consistency across the EU so businesses don’t have to deal with a complicated range of different national schemes. I want to provide a level playing field, with certainty for consumers and practical solutions for businesses.”
If transparency is key, as one of the stated goals, then I wonder why no mention of government? What of government breaches? Is there the same timely notification requirement for various agencies? In terms of stakeholders’ wellbeing, the government harbors extraordinarily critical content regarding citizens and their interests.
It’s of further interest to me that many “experts” feel that breaches will be an ongoing problem, by virtue of the number of private companies, banks, agencies, etc., that gather and store ever-more personal and empirical data about customers, clients, patients, and so on.
I rather agree that breaches will be an ongoing problem – but not due to an expansion of data stores – that is, more targets. Breaches will occur largely through careless harbor; poor security security practices, lagging security initiatives, and that most venerable and vexing problem: human error.
Joe McNamee, the head of European Digital Rights, says: “It is precisely because there will inevitably be breaches that rules are needed to ensure that citizens are informed and that companies have compelling reasons to minimize the data they collect and maximize their internal security,” he noted.
I rather think that breaches can be thwarted – with proper security protocols, proactive updating of environments to best security features and practices, sound training of personnel, and ever better encryption techniques.
Meantime: I’m back to government: What is their duty in notification of breached agencies and harbored data? Nothing I’ve read has indicated government’s oversight of… government.
I’ll also be curious to see what’s mounted, or attempted, in terms of government control here in the United States.
I’d like to hear from you. What are your thoughts on “breach notification laws”?
Stay safe out there.
NP: Elsa, Cannonball Adderley, jazz24.org