Following a string of data breach notifications which seem to be less than forthcoming, the EU is urging much stricter guidelines for data breach reporting timelines. It a recent article, European Commissioner Viviane Reding was shocked “that companies needed two or three weeks to inform people that their personal data had been stolen.” Recently I blogged about a parallel effort in the U.S. to legislate standards for breach reporting, it seems the effort is gaining traction “across the pond” in Europe as well.
Following her speech to the British Bankers’ Association (BBA) about the proposed legislation, BBA stated that they already followed the “highest standards of customer protection in their data management”, and so expected little impact.
Referencing the recent data breaches at Sony, Sega and others, Reding wants to extend proposed legislation from the telecom and ISP’s to other sectors. She states, “I will make that mandatory everywhere in this new data protection reform. All personal data breach notification across all sections including banking and financial services.”
Expect organizations to argue the additional regulatory administration is unnecessary, but still the E.U. feels companies, especially financial service ones, haven’t reached the point of fairness in reporting to the consumer, especially regarding situations where customers may need to act quickly to protect their personal information before it is acted upon by cybercriminals.
A delayed notification becomes exponentially worse for customers if they use the same password on multiple websites, a common practice. In a recent blog, Randy Abrams notes, “Do you use the same password for your multiple social networking accounts, email accounts, and other online services? If you answer yes to this, then about once every 5 minutes is the optimal interval for changing your password. When you use the same password everywhere it only takes one Sony-style mistake to compromise all of your accounts. Remember, your passwords are on the Internet, and they are not entirely under your control.”
The usual advice applies, keep your own cyber-situational-awareness, the same as you might about your physical security, avoid shady places, etc. But when a trusted vendor has an unfortunate data breach and delays notification past what is responsible, expect increasing pressure from regulators to make it hurt.
Author Cameron Camp, ESET