14 DAY TRIAL // The European Commission is rolling out new rules that will dictate what Internet service providers (ISPs) and telecoms operators should do if their customers’ personal information is lost, stolen, or compromised.
According to the ePrivacy Directive of 2002, telecoms operators and ISPs are required to keep their customers’ personal data safe. In case of a breach, the 2009 revised ePrivacy Directive dictates that specific national authorities must be alerted.
However, the European Parliament considered that this wasn’t enough to ensure consistent implementation across EU member states, so in 2011 it involved all relevant stakeholders in public consultations in an effort to propose technical implementing measures that would complement the existing legislation.
After analyzing all opinions on the matter, the EC has come up with new specific rules that will clarify how ISPs and telecoms operators must meet their obligations.
According to the new rules, companies that suffer a data breach must inform the competent national authority within 24 hours after the incident has been identified. In case full disclosure is not possible, at least an initial set of information must be given to the national authority within this timeframe.
Secondly, organizations must outline which pieces of information are affected and what measures they plan on applying.
When trying to determine whether or not to notify impacted individuals, organizations should pay attention to the type of data that has been compromised.
The EC also wants to roll out incentives. In conjunction with the European Network and Information Security Agency (ENISA), the EC will try to convince companies to implement a series of protection measures, such as data encryption.
Organizations that apply the proposed measures will be exempt from notifying their customers in case of a data breach.
"Consumers need to know when their personal data has been compromised, so that they can take remedial action if needed, and businesses need simplicity. These new practical measures provide that level playing field," European Commission vice president Neelie Kroes said.