January 25, 2012, 12:19 PM — Europe's proposed new laws on data protection are burdensome and expensive, but may give companies incentive to put more measures in place to secure data, according to representatives of business interests.
The mandatory notification of data breaches "as soon as possible" normally within 24 hours has caused the most concern. But other elements of the European Commission's proposed reform of the Data Protection Directive has alarmed many in industry.
Under the proposed law companies would be obliged to inform both the relevant Data Protection Authorities (DPAs) and all affected individuals of any data security breach, including unauthorized destruction or loss.
Organizations that fail to issue notifications about a personal data breach in a timely or complete fashion to the supervisory authority will face fines of up to 2 percent of their current revenues. Mark Fullbrook, director of IT security company Cyber-Ark, questioned the reason for a time limit: "If the goal of this law is to provide consumers with upfront information about the security of their information, then a 24-hour notification period is hardly going to enable that. If you look at any of the serious breaches that have occurred over the last year, not one of the affected organizations was able to articulate the true extent of the breach within a day."
"I remain unconvinced that legislating around the disclosure of breaches actually provides any real incentive for organizations to employ best practices when it comes to data security. Let's face it, imposing a fine or a time limit is just like putting a plaster over a gaping wound -- it only goes so far," he added.
Many security firms however were quick to see the business advantage in helping companies meet these new requirements. "The most effective way to identify exactly what data has been compromised, and thus generate accurate breach notifications within 24 hours, is by deploying centralized protective monitoring systems that automatically collect and analyze all log data generated by the IT infrastructure," said LogRythh vice president Ross Brewer.
However Brewer also warned about the danger of "over-disclosure", which, he said, is a risk as many companies don't know what information has been compromised and may be forced to issues a blanket breach notification.
But the "cost of implementing security measures to proactively protect corporate information from potential data breaches and attacks, is far less than the ultimate cost of a data breach," pointed out Aziz Maakaroun, managing partner of Outpost24 UK. "Rather than suffering from the financial and reputational damage that comes as a result of a data breach, surely it would be more beneficial for businesses to take steps to prevent data breaches from ever occurring in the first place."