In a
consultation on changes to the EU framework on telecoms regulation
the EC proposes that all providers of "electronic communications
networks or services" be forced to notify customers and regulators
of any breaches of security that would result in their personal
data being made available to others.
The current EU Directive only instructs network providers to
notify customers of security risks. It does not cover security
breaches.
The current law in the UK follows the Directive closely via the
Privacy and Electronic Communications Regulations of 2003.
"Where … there remains a significant risk to the security of the
public electronic communications service, the service provider
shall inform the subscribers concerned of (a) the nature of that
risk; (b) any appropriate measures that the subscriber may take to
safeguard against that risk, and (c) the likely costs to the
subscriber involved in the taking of such measures," says the
Act.
The consultation under which the new proposals are made runs
until 27th October. If the Directive is changed as planned it could
have serious effects on companies operating the networks
covered.
In California and the 33 US states which have since copied its
groundbreaking notification laws, reports of security breaches have
rocketed in number. Where companies may previously have not
informed regulators and customers that a breach had taken place,
the news of each breach now reaches vast audiences.
A series of laptop thefts and losses from government and private
bodies have exposed the data of millions of people to potential
loss and misuse in the US. Some of that information may never have
come to light without the notification law.
"A requirement to notify security breaches would create an
incentive for providers to invest in security but without
micro-managing their security policies," says the working document
accompanying the review process. "The proposed changes would
require providers of electronic communications networks and
services to notify the [regulator] of any breach of security that
led to the loss of personal data and/or to interruptions in the
continuity of service supply."
"The regulator would have the possibility to inform the public
if they considered that it was in the public interest," said the
document. Service providers would also have to "notify their
customers of any breach of security leading to the loss,
modification or destruction of, or unauthorised access to, personal
customer data," it said.
The consultation was published on 28th June. OUT-LAW asked the
UK's Office of the Information Commissioner yesterday if it plans
to recommend a change to UK law that would apply the Californian
model here. A spokesman responded: "We are not advocating any such
change."
