New EU Rules Require ISPs, Telcos To Come Clean Within 24 Hours of Data Breaches

hypnosec writes "Under new EU regulations ISPs and Telcos serving European customers will have to come clean within 24 hours in case of a security or data breach that leads to theft, loss, or compromise of data. Companies will have to disclose the nature and size of the breach within the first 24 hours. Whenever it's not possible to submit such data, they must provide 'initial information' within the stipulated time and full details within three days. Under the new terms the affected organizations will be required to reveal information such as information that has been compromised and the steps that have been taken or will be taken to resolve the situation. If the breach 'is likely to adversely affect' personal information or privacy, affected businesses and consumers will be notified of the breach."

NSA too?

[hawguy]

Does this mean the alleged NSA taps on major internet links that monitor all traffic would have to be reported as breaches too if an EU ISP discovers (or knowingly installs) one?

Re:NSA too?

Does this mean the alleged NSA taps on major internet links that monitor all traffic would have to be reported as breaches too if an EU ISP discovers (or knowingly installs) one?

Yes.

it's part of why nsa wanted soooo much to keep it secret. plenty of companies have to stop using american hosting if they technically know that the US servers are compromised.

Re:NSA too?

[gl4ss]

that's the point of making them come clean of compromise to the data or get burnt if they get outed by someone.

americans can't do anything about it - but if european operating companies are liable legally in europe about the breaches they will either have to disclose the data compromises to their customers(bad for business) or move the servers inside eu and not share all data(since you know, the european privacy laws are against that).

Re:NSA too?

[six025]

Does this mean the alleged NSA taps on major internet links that monitor all traffic would have to be reported as breaches too if an EU ISP discovers (or knowingly installs) one?

If you RTFA you would find out:

There are a few exceptions though – companies will not be required to pass on the data in cases where there are "justified national security reasons", companies like Facebook and Google who fall under Data Protection Direction, companies that take steps such as encryption of data.

Re:NSA too?

[Rockoon]

There are a few exceptions though – companies will not be required to pass on the data in cases where there are "justified national security reasons", companies like Facebook and Google who fall under Data Protection Directive, companies that take steps such as encryption of data.

This reminds me of the Data Retention Directive, passed in what... 2006?

First they require you to keep all data... then they require you to protect the data they made you keep.

Here is a thought: The best way to let me protect my data is to let me delete it.

Re:NSA too?

[Joce640k]

"Breach" implies access without permission.

The NSA has government-mandated permission so their access doesn't fall under this law.

Re:NSA too?

[scarboni888]

I got it this one's easy.

Today's 'average person' may be tomorrow's protestor. Heck that person might actually start turning into someone that other proletariat start listening too. And if their message is in any way threatening to those that gain from the power of the national security apparatus then said apparatus can dig in to so-called 'average person's' past communications to dig up the dirt on them, discredit them, jail them if necessary, and to thereby to retain their power without threat.

See how easy that is?

You're welcome.

Re:Hopefully coming soon to the US

[mlts]

I wonder how this law is to be enforced. If nothing is ever told that the breach happened (and logs "expired" pertaining to the breach), then only the party that did the intrusion would really have proof it ever happened.

General system logs don't have all the eDiscovery rules that E-mail do, and I sort of dread to have to keep every syslog/event log from every single machine for x amount of time, because an intruder can easily just trash the log archive server unless the logs were written something like WORM tape, or EMC's SAN that does WORM volumes.

In any case, this law is a start, and I wish similar laws would reach across the pond too. However, my fear is that even successful breaches will be classified as "attempts" and never reported... and if they are, it will be one person who gets the blame for failing to report it, they get sacked, and life goes on.

What can reasonably be accomplished in three days?

[Fastolfe]

Do they really expect every massive, multi-part intrusion to be investigated to completion so that a full report can be made after only 72 hours? What am I missing?

GCHQ spying was a data breach

EU Privacy directive is still law, EU Right to Privacy is still written directly into UK law. RIPA does not trump the fundamental rights and it didn't give them permission :
http://www.legislation.gov.uk/ukpga/2000/23/section/1

"(4)Where the United Kingdom is a party to an international agreement which—
(a)relates to the provision of mutual assistance in connection with, or in the form of, the interception of communications,
(b)requires the issue of a warrant, order or equivalent instrument in cases in which assistance is given, and
(c)is designated for the purposes of this subsection by an order made by the Secretary of State,
it shall be the duty of the Secretary of State to secure that no request for assistance in accordance with the agreement is made on behalf of a person in the United Kingdom to the competent authorities of a country or territory outside the United Kingdom except with lawful authority."

You didn't have a UK court order, so you didn't have lawful authority to intercept UK comms. It was done illegally. You cannot transcribe a mass surveillance directive FISA warrant into UK law and pretend it gives you UK lawful authority. FISA law does not apply to UK, a FISA warrant does not count as lawful authority. If it did, then American law would count as lawful authority over any UK law.

Without even getting into whether a US law that violates the 4th Amendment is lawful authority or not. It is not lawful in the UK. It is not lawful under RIPA.

So the companies who assisted in this, need to come forward and report what they did as a data breach. Because that is what it is. Parliament rules UK, not GCHQ, not NSA.

In particular Vodafone is buying Deuschland Kabel and Vodafone network in Greece was spied on in 2004, so the Germans need to ensure their network is secure from extra-legal surveillance before allowing that to go ahead. Answers are needed.

Re:US congress - Are you listening

[blackraven14250]

Isn't that only Germany, or did I miss something?

Re:Hopefully coming soon to the US

[moronoxyd]

I wonder how this law is to be enforced. If nothing is ever told that the breach happened (and logs "expired" pertaining to the breach), then only the party that did the intrusion would really have proof it ever happened.

That a company does it's best to hide that their systems where breached doesn't mean that it will never come out.
If lists of passwords appear online, or if somebody abuses customer data that was only ever disclosed to that company, they will be in deep sh*t if it comes out that they knew about the breach and did not follow the law.

There are ways ...

[thrill12]

...I sometimes encounter data breaches from companies I do business with, simply because I use a unique e-mail address for each business. (name_businessname@domain). As soon as I start receiving spam on the e-mail, I have pretty much irrefutable proof that a leak exists at that company; the only condition being that I must make sure that that e-mail address is never communicated to anyone else.
Of course, "proof" for a court of law could require a bit more, but I think that needs to be established as jurisprudence, and this could be an example of how it could be established.