Blog

EU Regulations: Problems and Solutions

According to Law360, the European Union's data protection regulators have taken measures to push for greater reporting and accountability for data loss reporting, including what qualifies as a breach and what industries should comply.

According to Law360, the European Union's data protection regulators have taken measures to push for greater reporting and accountability for data loss reporting, including what qualifies as a breach and what industries should comply:

"Under a 2002 e-privacy directive, only telecommunications service providers are required to report serious network information security incidents. However, the regulators in their opinion urged a broader swath of data controllers to report serious data breaches to both competent national authorities as well as affected individuals, in light of a proposed regulatory overhaul currently making it way through the EU legislative process that would extend notification obligations to all sectors. "Although this opinion considers the existing obligations of providers of electronic communications regarding [the 2002 directive], it provides examples from multiple sectors, in the context of the draft data protection regulation, and presents good practices for all controllers ... even if notification is not mandatory," the regulators wrote. The "nonexhaustive" list presented by the regulators of potential intrusion scenarios encompassed "availability breaches" that involve the accidental or unlawful loss of personal data, "integrity breaches" that lead to the alteration of personal data, and "confidentiality breaches" caused by the unauthorized disclosure of or access to personal information. The six illustrative cases contained in the opinion ran the gamut from laptops being stolen from a children's health care institute to an employee of an Internet service provider giving a third party the log-in credentials for a client database to a company mistakenly discarding an envelop containing in-tact credit card receipts to an encrypted laptop of a financial adviser being stolen from a car."

The report acknowledges that encryption simply isn't enough. That's why the best method is to truly lock down data at the source, removing the risk of consequences that can result from some of the above-listed scenarios.