Out-Law News 2 min. read

Data and security breach notification rules must not place unnecessary burdens on businesses, says expert

The administrative and cost burdens involved in reporting IT security breaches to regulators must be accounted for in new EU legislation that has been proposed, an expert has said.

Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that it would be unfair and unnecessary to require businesses to report every minor security breach they experience.

Next month the European Parliament is set to vote on a proposed new Network and Information Security (NIS) Directive which would, if introduced into EU law, require businesses that operate critical national infrastructure across sectors such as financial services, telecoms, energy and transport, to report on cyber security breaches in certain cases.

The wording of the Directive is still in the process of being finalised, but the European Commission's original proposal was to make it a requirement for market operators to report all breaches that have a "significant impact on the security of the core services they provide".

Separate rules outlined in the proposed new General Data Protection Regulation would require all businesses to report all personal data breaches to regulators "without undue delay" and, where possible, within a day of the breach being identified.

Both sets of rules should take account of the almost inevitability of breaches happening to businesses and require security incidents to be reported at the stage most likely to assist in reducing the overall damage caused by intrusion and attacks to both businesses and individuals, Scanlon said.

"Whether we are comfortable accepting it or not security must be more about dealing with the consequences of attacks, incidents and breaches and less about ensuring that breaches never take place or that networks are never penetrated," he said.

"It is important that an understanding of detection activities filters through to those advocating EU law reform. It seems that there needs to be more of a discussion about what is important to report and when is the best time to report suspicious activities beyond the general parameters already suggested in the draft texts. This is particularly important if those parameters remain ambiguously drafted", he added.

Scanlon was commenting after a recent survey revealed that 14% of UK businesses experienced at least one "internal security breach" within the past year. As a result, IT security supplier IS Decisions estimated that there must have been more than 300,000 such incidents across all UK businesses in last 12 months. IS Decisions surveyed 250 IT decision makers at UK businesses with between 50 and 10,000 employees.

"Given there were 2.17 million businesses registered in the UK in 2013, this suggests that there were over 300,000 internal security breaches in the UK last year," IS Decisions' 'Insider Threat Security Manifesto' report (registration required to access 28-page / 2MB PDF) said.

 IS Decisions said that insider threats was rated as a fourth biggest security concern among its survey respondents, behind viruses, data loss and hacking. Just 21% of respondents across the UK and US ranked insider threats as one of their top three security concerns.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.