EU moves on data breach notification law

Published 9 October 2008

Security professionals debate the recommendations of independent research to introduce tough European data breach and security regulations

A recent report calling for stringent data security and breach notification laws has been welcomed by information security professionals. Delegates of the independent Information Security Solutions Europe (ISSE) conference being held this week in Madrid welcomed the recommendation to introduce a breach notification law presented in the report compiled by respected IT security academics. Commissioned by European Union (EU) agency, the European Network and Information Security Agency (ENISA), the report made a series of recommendations, focused on shifting the liability of IT security gaps onto IT users and vendors alike. The requirement to notify EU authorities and affected customers of any potentially damaging data breach came out top.

ITPro’s Myia knights writes that presenting the research findings on behalf of his fellow report authors, Rainer Bohme from the Dresden University of Technology said such regulation was necessary to keep pace with the economic challenges created by today‘s security threat landscape. “The threats to regional and national security are clear, as are the potential financial and privacy harm,” Bohme said. “That’s why the number one recommendation of our research was for a comprehensive breach notification law.”

He said such a law would create an atmosphere of greater responsibility around security among organizations and consumers alike, and would also provide a central repository of data on security breaches that could be used to quantify their economic impact.

The report offers fifteen recommendations and Bohme also highlighted those that sought to shift liability for IT system vulnerabilities back to the software industry and for passing on malware to ISPs. An ENISA spokeswoman said it was in the process of preparing a report on the recommendations for the EU, but that the initial reaction of business and the IT industry alike was that the recommendations, particularly around shifting liability, were “highly controversial”. She added: “The main ones around breach notification were received positively and we’ll be reflecting that in our report.”