The European Network and Information Security Agency (ENISA) is pushing for online service providers like LinkedIn and network providers like Research in Motion to be included under Europe's tough data protection laws for telecoms providers.
The suggestion, outlined in its Cyber Incident Reporting in the EU document, stems from the observation that LinkedIn would not be required to report its recent password leak under Europe's proposed data protection laws because it impacted personal data.
The current set of proposals (PDF) would compel any company with a presence in Europe to report a breach if personal data is involved.
The LinkedIn incident however was not covered by the EU's existing telecoms regulation, despite it having an impact on businesses and communications -- exactly what the regulation is meant to cover.
“The Data Protection reform is focussed on processing of personal data, not on businesses,” ENISA information security officer Dr Marnix Dekker told CSO.com.au.
“It is not meant to replace or address the more general issue of privacy and security of electronic communications. The telecom framework focusses on privacy and security of communications of subscribers – be they citizens or businesses, regardless of what goes over the wire.”
This scenario was one example ENISA used to highlight “regulatory gaps” in existing and proposed data protection laws, which could be closed by changing the interpretation of “services” under, for example, Europe's telecoms regulatory framework.
LinkedIn’s breach was one of five “severe” real-world cases ENISA used to illustrate how existing and proposed data protection laws would apply.
Others included the 2011 Dagmar storm which knocked out telecommunications for millions across Scandinavia for up to two weeks; RIM’s 2011 data centre and messaging outage affecting millions of people, particularly in the financial services sector; the DigiNotar certificate breach in the Netherlands; and the China Telecom “IP hijacking” incident which briefly re-routed 15 per cent of the world’s internet traffic through servers in China.
While the Dagmar incident was covered under telecoms reporting requirements, and DigiNotar will be covered by new requirements for ‘trust services’, the LinkedIn, RIM and China Telecom incidents were “not clearly in scope or the subject of debate between providers and the national regulator”, according to ENISA.
The EU could widen the interpretation of telecoms services “because the landscape of electronic communications is continuously changing (from landline telephones and minitel in the past, to mobile phones, internet and VoIP),” it said.
"We are looking at these issues from the perspective of the subscribers (business or citizens) who expect electronic communications to be secure and private," said Dekker.