ENISA Publishes a Report on Data Breach Notifications in Europe
The European Network and Information Security Agency (ENISA), an agency helping the European Commission, the Member States and the business community to address and prevent network and information security issues, published this month a report (the Report) on data breach notifications in the European Union (EU).
The European Commission Directive 2009/136/EC amended Directive 2002/58/EC (the ePrivacy Directive). The revised ePrivacy Directive introduces to EU law the concept of mandatory data breach notifications in EU law. Member States must implement the Directive by May 25, 2011, but, as of now, data breach notifications are not yet mandatory in most of the Member States.
Since the Directive is not yet implemented by most Member States, telecommunication operators can not yet rely on their state legislators to provide them with guidance to better enable them to comply effectively with data breach notification requirements. This is why ENISA surveyed and interviewed regulatory authorities, legal experts, private companies and industry experts to gather information about the challenges the telecommunications sector may have to face in order to comply with mandatory data breach notifications.
The Report found that telecommunication operators were worried that mandatory breach notifications would have a negative effective on their brands, and were questioning how to assess if the seriousness of a particular breach should trigger a notification, so as to prevent ‘notification fatigue’ for both the operator and the data subjects.
The new EU data breach notification rules
ENISA considers that making data breach notification mandatory “is an important development with a potential to increase the level of data security in Europe and foster reassurance amongst citizens on how their personal data is being secured and protected by electronic communication sector operators.”(p. 8)
Article 2 (h) of the revised ePrivacy Directive now defines a “personal data breach” as:
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.
The reviewed article 4 of the ePrivacy Directive states that:
In the case of a personal data breach, the provider of publicly available electronic communications services shall, without undue delay, notify the personal data breach to the competent national authority.
When the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual, the provider shall also notify the subscriber or individual of the breach without undue delay.
Notification of a personal data breach to a subscriber or individual concerned shall not be required if the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.
Without prejudice to the provider’s obligation to notify subscribers and individuals concerned, if the provider has not already notified the subscriber or individual of the personal data breach, the competent national authority, having considered the likely adverse effects of the breach, may require it to do so.
The notification to the subscriber or individual shall at least describe the nature of the personal data breach and the contact points where more information can be obtained, and shall recommend measures to mitigate the possible adverse effects of the personal data breach. The notification to the competent national authority shall, in addition, describe the consequences of, and the measures proposed or taken by the provider to address, the personal data breach.
Operators are worried that mandatory notifications may damage their brand
The Report noted that that [o]perators want assurances that notification requirements will not negatively impact their brand” (p.4) and that “[b]rand is an important issue for all operators” (p. 26). It is thus important for them to remain in control of the communications with their customers affected by the breach, so that they can “effectively manage any impact on brand perception brought about by the data breach and subsequnt notification”(p. 26).
However, having to inform one’s customers of a breach may also be regarded, in a “the glass is half full” sort of way, as an opportunity to communicate with customers, and thus, overall, to increase the good will of the company. Bruce Schneier, a data security expert, wrote on his blog in January 2009 that the “direct mail campaign to notify customers… often turns into a marketing opportunity.”
Data Breach Notification Fatigue?
The Report also found that breaches of personal data that are likely to cause harm to data subjects or violate their rights should be subject to mandatory notification, However, if the breached data is encrypted, there may be no real risk that the data will be exploited, and thus notifying the customer may be “redundant”(p. 33). Too many notifications would be like crying wolf, undermining customers’ confidence in the organization while desensitizing them. In another words, if you receive data breach notifications regularly, you may treat it as another boring piece of junk mail.
It is interesting to note that EU customers do not have a credit reporting system as in the US. When a U.S. customer receives a data breach notification, he is sometimes offered a year of free credit monitoring. Also, the Fair Credit Reporting Act guarantees U.S consumers access to a credit report from each of the three nationwide credit reporting companies every year. It could be argued that since the EU customers do not have a centralized way to monitor suspicious activities on their accounts, the complexity of monitoring suspicious activities add to the “so what?” reaction that ENISA fears too many notifications may induce.
ENISA proposes some indicators for triggering data breach notification
In order to avoid notification fatigue, the Report suggests enabling a consistent methodology across Europe, by considering several relevant indicators for triggering data breach notifications (p.33) :
1. Number of people affected
2. Nature of the data that has been breached (see p. 17)
· Physical or mental health data
· Information relating to the sexual life of the data subject
· Political, philosophical or religious beliefs
· Information relating to the alleged/actual commission of a criminal offence
· If the data subjects involved are minors
· Whether or not the data breach involved financial data
3. Nature of the breach (widespread, or an isolated incident)
4. Security level (has the data been encrypted)
Hopefully, the Report will be a useful source of information to a telecommunication provider before the Member State in which it operates implements the revised ePrivacy Directive.