It’s interesting to me that the European Union’s European Commission is considering some standard rules for breach notification.  These rules would govern how companies make notification to stakeholders, and also govern their behavior throughout breach fallouts.

These “practical rules,” are being crafted from solicited input from the public, and also from national data protection authorities, as well as from consumer protection organizations.  In the wake of several high-profile breaches, it’s an understandable consideration (see several of my prior posts regarding breaches).

As stated by Neelie Kroes, the EU’s digital agenda commissioner, “The duty to notify of data breaches is an important part of the new EU telecoms rules.  But we need consistency across the EU so businesses don’t have to deal with a complicated range of different national schemes. I want to provide a level playing field, with certainty for consumers and practical solutions for businesses.”

If transparency is key, as one of the stated goals, then I wonder why no mention of government?  What of government breaches?  Is there the same timely notification requirement for various agencies?  In terms of stakeholders’ wellbeing, the government harbors extraordinarily critical content regarding citizens and their interests.

It’s of further interest to me that many “experts” feel that breaches will be an ongoing problem, by virtue of the number of private companies, banks, agencies, etc., that gather and store ever-more personal and empirical data about customers, clients, patients, and so on.

I rather agree that breaches will be an ongoing problem – but not due to an expansion of data stores – that is, more targets.  Breaches will occur largely through careless harbor; poor security security practices, lagging security initiatives, and that most venerable and vexing problem:  human error.

Joe McNamee, the head of European Digital Rights, says:  “It is precisely because there will inevitably be breaches that rules are needed to ensure that citizens are informed and that companies have compelling reasons to minimize the data they collect and maximize their internal security,” he noted.

I rather think that breaches can be thwarted – with proper security protocols, proactive updating of environments to best security features and practices, sound training of personnel, and ever better encryption techniques.

Meantime:  I’m back to government:  What is their duty in notification of breached agencies and harbored data?  Nothing I’ve read has indicated government’s oversight of… government.   

I’ll also be curious to see what’s mounted, or attempted, in terms of government control here in the United States.

I’d like to hear from you.  What are your thoughts on “breach notification laws”?

Stay safe out there.

NP:  Elsa, Cannonball Adderley, jazz24.org

No partisan ruminations here:  We IT and Business folk are nothing if not practical.  We strive to be efficient, safe, and true to the mission.  That’s our agenda.  That said, I remember a common joke I heard primarily in my youth:

The nine most terrifying words in the English language are, “I’m from the government and I’m here to help.”

And now, Government wants to “help” us in the collective digital domain: 

The Commerce Dept. unveiled a plan Friday to create a national cyber-identity system that would give consumers who opt in a single secure password and identity for all their digital transactions.  [Source:  FoxNews.com]

A single ID and password for everything I do digitally?  Most emphatically:  No thank you. 

Although, I will say, here is where government does actually achieve some efficiency:  If your Federally sponsored online ID and password are breached, ALL of your online endeavors can immediately be compromised.

But wait!  You can have multiple authentication credentials, from multiple “credential providers,” with associated fobs, or smartcards, or smartphone software, or “tokens”…  my head’s spinnin’.  This article mentions “…though having two [or more – DS] would reduce the simplicity factor, of course.” 

The drive is toward a single set of credentials per person.

Right now, I have a diverse set of authentication credentials that I manage on my own, quite nicely – for banks, stores, this blog, etc. – and I like the fact that, so far as I know, the government is not involved.  If I forget a password, or even my ID, I can provide answers to simple questions in resuming authorization and access.  Further, most if not all of my sites require further, simple, authentication measures beyond ID and password:  Such as answers to questions regarding Favorite Hobby, Name of Favorite Uncle, What Year Did You Graduate High School?, etc. – as well as CAPTCHA and other security mechanisms. 

This alone is off-putting enough:  The National Strategy for Trusted Identities in Cyberspace. 

Recognize that the Feds can’t even secure the data they presently have.  Just refer to – Report:  Military and government data breached 104 times in 2010.  Also, Google “Federal Data Breaches.”

Happy reading.

On this day:  In 1955, the first “Walk”/”Don’t Walk” lighted street signals were installed.