ENISA (the European Network and Information Security Agency) has issued a new report on data breach notifications . Having approached telecoms operators and data protection authorities (DPAs) on this topic, the report highlights data breach handling and key stakeholder concerns.

The revised e-Privacy Directive (2002/58/EC) brought in EU data breach notification requirements for the telecoms sector and the European Commission is considering the inclusion of the finance, healthcare and small business sectors. By requiring mandatory data breach notification to the national data protection authority, the Commission hopes to encourage organisations to increase the level of security afforded to personal data and to reassure citizens about the security of their personal data by telecom sector operators.

What are appropriate technical and organisation security measures exactly?

ENISA, the EU agency ‘created as a response to security issues of the European Union’, will be preparing guidance on the technical implementation measures and procedures required to comply with Article 4 of the e-Privacy Directive on security, so this most recent report serves as a useful precursor to the issues which should be addressed in the highly-anticipated ENISA guidance.

As a general comment ENISA found that data protection authorities tend to take a varied approach to enforcing data protection and privacy in the EU. ‘Some follow EC Directives closely, while others take on additional responsibilities beyond those outlined in the Directives’. While the telecoms sector may recognise the importance data breach notification will play in data security, the uncertainty in how such notifications will be dealt with by DPAs should not be underestimated.

The key concerns raised by telecoms operators include the following:

  • Risk prioritisation – Breaches should be categorised according to specific risk levels to limit the burden of notification on the resources of both organisations and DPAs, in particular where there is no real risk to the rights of the data subject;
  • Communications channels – Brand is an important issue for all operators who are looking for assurances that notification requirements will not impact negatively on their brand as well as assurance that they can maintain control on notifying data subjects to effectively manage any impact on brand perception; and
  • Support – Guidance relating to the implementation of security levels to comply with Article 4 of the e-Privacy Directive and should aim to prevent violations before they happen in addition to procedural guidance on the data breach notification requirement.

The DPAs interviewed for ENISA’s report listed concerns. While the majority of DPAs support mandatory breach notification for telecoms operators, the report highlights a long list of factors for consideration before mandatory notification can be implemented. Those factors include:

  • adequate resources both budgetary and staff IT expertise to match the high level of technical expertise found in the telecoms sector;
  • sanctioning authority to impose penalties as a tool ensuring compliance; and
  • a clear delineation of responsibilities between relevant authorities to mitigate or prevent potential conflict.

The key concern among DPAs was that the data breach notification requirement will interfere with their ability to perform their numerous other pre-existing responsibilities, which in some member states is already evident when seeking authorisations for data processing and/or approval for international transfers.

Organisations should look to the legislative examples of Ireland and Germany highlighted in the ENISA report while Member States prepare their implementing legislation of the new e-Privacy Directive. ENISA cited both countries as useful examples of breach notification procedures and suggested a progress review of “both countries over time in order to gather experiences, best practices, and lessons learned”.

We will prepare a future blog on ENISA’s guidance on appropriate technical and organisational measures once it has been issued so watch this space!