Out-Law News 3 min. read
28 Aug 2012, 3:38 pm
The European Network and Information Security Agency (ENISA) said that LinkedIn and Research In Motion (RIM) were examples of businesses that had not been subject to EU laws on security breaches when they both experienced incidents within the past year.
Currently EU laws require that firms that provide "public communications networks or electronic communications services" ensure that their networks are secure. The firms must report security breaches or loss of integrity to their network to national telecoms regulators. The regulators can order firms to take particular action to protect the security of their networks.
However, ENISA said that services provided by LinkedIn, which had approximately 6.5 million user passwords stolen by hackers earlier this year, and RIM, which reported a "core switch failure" within its Blackberry network infrastructure last year, had not "clearly" fallen within the scope of the EU rules. It urged the European Commission and national authorities to rethink how they interpret the meaning of 'electronic communication services' under the laws in order to ensure that the "gaps" are plugged.
"This can be done without necessarily changing the text of existing legislation, such as the telecom regulatory framework, but rather the interpretation of what the services are, because the landscape of electronic communications is continuously changing (from landline telephones and minitel in the past, to mobile phones, internet and VoIP)," ENISA said in a report (14-page / 858KB PDF) on cyber incident reporting in the EU.
ENISA also called for EU laws to contain consistent and standard text in relation to security breach reporting requirements. This, it said, would allow for easier "governance" of the laws and compliance by "providers".
The agency also said that EU member states should encourage firms to better 'optimise' how they respond to security breaches, including in how they engage with national computer emergency response teams (CERTs).
"To prevent incidents from escalating Member states should encourage providers to quickly contact technical experts, incident response teams (like national CERTs), crisis coordination groups, and other organizations relevant in the response phase, should this be necessary," ENISA said. "Member states should underline that incident response receives priority."
"The purpose of mandatory incident reporting to national authorities is supervision over whether or not providers comply with legal requirements, while the purpose of information exchange in the response phase, for example with a national CERT, is to tackle the incident. Member states should encourage transparency and trusted information sharing in the response phase and ensure that response processes are independent and not slowed down by legal reporting requirements. Member states should for instance ensure that incident reporting procedures are easy and quick to apply," it added.
The European Commission should encourage better information sharing between CERTs, whilst regulators and businesses should work together to see whether "automated tools and computer interfaces" can be used to make reporting security breaches cheaper, ENISA's report also said.
Regulators should also ensure that the way that they ensure that organisations are taking "appropriate technical and organisational security measures" to secure their networks or information, is consistent, it said. This would "allow providers to comply more easily" with the various laws around reporting security breaches and also "allow equipment vendors to adapt their products accordingly".
ENISA's report also referred to, but did not delve into "related issues" around security breach reporting, including with regards to whether there should be standard ways for setting out "incident reports" and assessing the impact of breaches, as well as whether a new classification system for rating the "severity" of breaches should be introduced.
New data breach notification rules have been proposed under planned reforms to EU data protection laws.
Under the European Commission's draft General Data Protection Regulation, companies would have to ensure that any personal data processing is done securely and that they notify regulators and any individuals concerned with certain information about any data breach "without delay and, where feasible, not later than 24 hours after having become aware of it". The information should include recommendations over what people can do to "mitigate the possible adverse effects of the personal data breach".
Under the plans regulators would have the power to fine businesses up to 2% of their annual global turnover for failing to notify breaches or for other serious breaches of the Regulation. Organisations not engaged in economic activity could face fines of up to €1 million for serious breaches.
