EU security agency: LinkedIn, RIM should face incident reporting legislation
- — 28 August, 2012 10:50
- ( 1 Comment )
The European Network and Information Security Agency (ENISA) is pushing for online service providers like LinkedIn and network providers like Research in Motion to be included under Europe's tough data protection laws for telecoms providers.
The suggestion, outlined in its Cyber Incident Reporting in the EU document, stems from the observation that LinkedIn would not be required to report its recent password leak under Europe's proposed data protection laws because it impacted personal data.
The current set of proposals (PDF) would compel any company with a presence in Europe to report a breach if personal data is involved.
The LinkedIn incident however was not covered by the EU's existing telecoms regulation, despite it having an impact on businesses and communications -- exactly what the regulation is meant to cover.
“The Data Protection reform is focussed on processing of personal data, not on businesses,” ENISA information security officer Dr Marnix Dekker told CSO.com.au.
“It is not meant to replace or address the more general issue of privacy and security of electronic communications. The telecom framework focusses on privacy and security of communications of subscribers – be they citizens or businesses, regardless of what goes over the wire.”
This scenario was one example ENISA used to highlight “regulatory gaps” in existing and proposed data protection laws, which could be closed by changing the interpretation of “services” under, for example, Europe's telecoms regulatory framework.
LinkedIn’s breach was one of five “severe” real-world cases ENISA used to illustrate how existing and proposed data protection laws would apply.
Others included the 2011 Dagmar storm which knocked out telecommunications for millions across Scandinavia for up to two weeks; RIM’s 2011 data centre and messaging outage affecting millions of people, particularly in the financial services sector; the DigiNotar certificate breach in the Netherlands; and the China Telecom “IP hijacking” incident which briefly re-routed 15 per cent of the world’s internet traffic through servers in China.
While the Dagmar incident was covered under telecoms reporting requirements, and DigiNotar will be covered by new requirements for ‘trust services’, the LinkedIn, RIM and China Telecom incidents were “not clearly in scope or the subject of debate between providers and the national regulator”, according to ENISA.
The EU could widen the interpretation of telecoms services “because the landscape of electronic communications is continuously changing (from landline telephones and minitel in the past, to mobile phones, internet and VoIP),” it said.
"We are looking at these issues from the perspective of the subscribers (business or citizens) who expect electronic communications to be secure and private," said Dekker.
Follow @CSO_Australia and sign up to the CSO Australia newsletter.
Get exclusive access to CSO, invitation only events, reports & analysis. 
Comments
Marnix Dekker
1
Dear Liam,
Thanks a lot for the nice coverage of our article. As one of the authors, I would like to clarify two things briefly:
- The exception for 'hashed' data in the data protection legislation is probably a bit unfortunate: It is becoming increasingly clear that hashing is not trivial and that even hashed data can become intelligible later on. But this is not what we mean by 'gaps'. By 'gaps' we mean that national regulators currently use a very rigid definition of 'electronic communications'. This means that when two business partners communicate via Linkedin, then this would not be covered under existing legislation. If on the other hand they would communicate using SMS, or phone, then it would fall under existing ecomms legislation. But for the user there is no big difference - it is just a way to speak.
- A second point: The title of the article suggests that data protection rules should be extended. Note that the word data protection in the EU often refers to protection of personal data; data of individuals. We believe that, regardless of the parties involved in the communication there should be laws that addresses confidentiality, outages, et cetera. Also companies, using electronic communications to exchange working documents for example, should be able to rely on secure and private communications. The proposed data protection reform, for example, would address some of the gaps when personal data is concerned - but this still leaves business data uncovered.
If EU countries want to adopt new legislation, change/extend existing legislation - or ... 'reinterpret' existing legislation, is the same in the end. But the gaps should be addressed somehow we believe. Having said that, there will always be fringe cases - the best is to keep an eye on technology and see what citizens and businesses are using, and what they need in terms of legislation.
Again, thanks a lot for the quotes and your reaction - you run an excellent magazine,
Best, Marnix