Friday, April 18, 2008

Data notification breaches

The European Data Protection Supervisor has called for a data breach notification law (via Out-law) -

"The privacy watchdog for EU institutions has called for a planned requirement for telecoms companies to publish details of information security breaches to be extended to banks, businesses and medical bodies.

The European Commission has proposed a data breach notification law which would force telecoms companies to tell customers when personal information had been lost. The requirement was among other proposed changes to the Privacy and Electronic Communications Directive published last autumn.

The European Data Protection Supervisor (EDPS) has said that if the proposal is designed to help prevent identity theft it must be extended to include banks, businesses and others.

"While the EDPS is pleased with the security breach notification system … he would have favoured their application at a wider scale to include providers of information society services," said the EDPS's response. "This would mean that online banks, online businesses, online providers of health services etc would also be covered by the law."

Proposals to reform the European Electronic Communications Framework is likely to take place in Autumn this year. The main proposals to amend the Directive on Privacy and Electronic Communications 2002/58/EC include the following:

- introducing mandatory notification of security breaches resulting in users’ personal data being lost or compromised;

- strengthening implementation provisions related to network and information security to be adopted in consultation with the Authority;

- strengthening implementation and enforcement provisions to ensure that sufficient measures are available at Member State level to combat spam;

- clarifying that the Directive also applies to public communications networks supporting data collection and identification devices (including contactless devices such as Radio Frequency Identification Devices);

- modernising certain provisions that have become outdated, including the deletion of some obsolete or redundant provisions.

Some clarity is further given under the proposals over the use of spyware:

"In Article 5(3): this ensures that use of “spyware” and other malicious software remains prohibited under EC law, regardless of the method used for its delivery and installation on a user’s equipment (distribution through downloads from the Internet or via external data storage media, such as CD-ROMs, USB sticks, flash drives etc.)."

However, other than this, it should be noted that this can easily be removed by anti-spyware software (see this article) and stopbadware project.

See also:

No comments: