EU eyes board with 24 hr data breach notifications
- — 24 January, 2012 09:18
A tough new European data privacy regime, set to be unveiled this week, contains proposed penalties that appear certain to elevate privacy and security to the board room.
The European Commission will Wednesday outline a major overhaul of Europe's 1995 Data Protection Protective, proposing that companies with European operations be given just 24 hours to notify customers of a data breach, Bloomberg reported.
EU Justice Commission Viviane Reding outlined parts of the proposal at the Digital Life Design conference in Munich, Germany last weekend, ahead of the January 28 Data Privacy Day.
If the proposal passes, possibly by next year, it could spell the end to the practice of keeping an incident secret until initial investigations have been completed.
However, the proposal is expected to be met with stiff opposition, with Microsoft’s Europe chief operating officer telling the Financial Times the measures were “too prescriptive”.
While Sony was criticised for keeping its massive breach a secret for six days, more recently US security intelligence firm, Stratfor, revealed it did not inform customers of its breach until a month after the incident, citing an ongoing FBI investigation as its reason.
If passed, the new rules will apply to any organisation that manages a database of personal records and are intended to become standard legislation for Europe's 27 member nations, according to a draft proposal obtained by the Financial Times.
The draft also revealed fines, for companies that breach the legislation, of up to 2 per cent of their global turnover.
Under the proposal individuals should also be offered the "right to be forgotten" and a "right to data portability", Reuters reported.