In an escalation of the tendency to require companies to be forthright with their users following a breach, a European Union proposed bill intended to overhaul a 17-year old law is making progress. This week EU will outline the overhaul to the existing rules, hoping to encourage more expedient communication efforts following a breach, in an effort to speed notification to the affected parties.
According to Justice Commissioner Viviane Reding, Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay, and she hopes breach notifications will occur within 24 hours. The new bill also hopes to bring increased sanctions with it for reporting delays, though exact details remain to be sorted out during the next week.
The U.S has a patchwork of notification legislation that varies state-by-state, with some states like Massachusetts taking a very strong stance. Expect other states to beef up their reporting requirements in the near future, in response from consumers and lawmakers alike.
In the meantime, it’s a good exercise to plan for data breach drills at your organization. Internally it will help highlight potential weak links in the security chain long before potentially being trotted out to the press and customers as an uncomfortable spectacle. If you set aside a certain evening to run a drill every 6 months or so you’ll be far more prepared than your competition, and will have a much higher chance of staying out of the headlines altogether for data breaches. Setting aside a couple nights a year for your staff will cost far less than the cheapest data breach recovery, so it’s money well spent. It will also help both your organization and its customers sleep more soundly at night, knowing the steps you are taking to protect both groups.
Author Cameron Camp, ESET