Slashdot Mirror

← Back to Stories (view on slashdot.org)

New EU Rules Require ISPs, Telcos To Come Clean Within 24 Hours of Data Breaches

Posted by Unknown on from the be-quick-or-be-dead dept.

hypnosec writes "Under new EU regulations ISPs and Telcos serving European customers will have to come clean within 24 hours in case of a security or data breach that leads to theft, loss, or compromise of data. Companies will have to disclose the nature and size of the breach within the first 24 hours. Whenever it's not possible to submit such data, they must provide 'initial information' within the stipulated time and full details within three days. Under the new terms the affected organizations will be required to reveal information such as information that has been compromised and the steps that have been taken or will be taken to resolve the situation. If the breach 'is likely to adversely affect' personal information or privacy, affected businesses and consumers will be notified of the breach."

3 of 70 comments (clear)

  1. NSA too? by hawguy · · Score: 4, Interesting

    Does this mean the alleged NSA taps on major internet links that monitor all traffic would have to be reported as breaches too if an EU ISP discovers (or knowingly installs) one?

  2. Re:Hopefully coming soon to the US by mlts · · Score: 5, Interesting

    I wonder how this law is to be enforced. If nothing is ever told that the breach happened (and logs "expired" pertaining to the breach), then only the party that did the intrusion would really have proof it ever happened.

    General system logs don't have all the eDiscovery rules that E-mail do, and I sort of dread to have to keep every syslog/event log from every single machine for x amount of time, because an intruder can easily just trash the log archive server unless the logs were written something like WORM tape, or EMC's SAN that does WORM volumes.

    In any case, this law is a start, and I wish similar laws would reach across the pond too. However, my fear is that even successful breaches will be classified as "attempts" and never reported... and if they are, it will be one person who gets the blame for failing to report it, they get sacked, and life goes on.

  3. What can reasonably be accomplished in three days? by Fastolfe · · Score: 3, Interesting

    Do they really expect every massive, multi-part intrusion to be investigated to completion so that a full report can be made after only 72 hours? What am I missing?