Businesses need to prepare for new proposals in EU data protection regulation which look set to widen the scope of the law while bringing in mandatory reporting of data breaches.
That is likely to mean businesses will need to put further data security controls in place to help ensure they are aware of where critical and sensitive company information data is stored, according to Gerard Curtin, CEO of PixAlert, an Irish firm which develops software for detecting data loss and inappropriate image content on company networks.
“Mandatory reporting will help bring about more clarity to the amount of data being lost and improve efforts to prevent breaches. With its eventuality clearly on the horizon, businesses need to address data protection seriously and proactively prepare to ensure that sufficient security structures and controls exist. If a company is seen as being unable to protect client data or in breach of regulation, penalties are likely to be imposed,” said Curtin.
EU directive amendments
The EU implemented new amendments to Directive 2002/58/EC on the protection of privacy in the Privacy and Electronic Communications Directive which introduced breach notification rules and penalties for Internet Service and Telecoms providers requiring that operators secure personal data properly and inform their customers and data protection authorities promptly when client data is lost or breached. This directive was enacted as law in Ireland and UK earlier this summer.
In June, the EU’s Justice Commissioner Viviane Reding said new data protection changes including mandatory notification of data breaches across all sectors would ensure that all businesses, including those in the financial sector, take data protection seriously. “Data breaches have eroded consumers’ trust and banks and businesses will need to take data protection much more seriously if they want to avoid future reputation damage,” she said.
The Commission is expected to present its proposal to the European Parliament and the Council of the EU in 2011 which will agree on the final text in the co-legislation procedure.
Where is the data?
A recurring theme among many security and risk professionals is that many organisations don’t know where their most important data is stored, or whether it is in multiple locations – not just on a company server but on mobile devices or USB keys. Without that information, putting appropriate measures in place to protect the data becomes very difficult.
To prepare for mandatory reporting, good security practice should be to establish where critical and company sensitive information resides on an organisation’s network, said Curtin. “Data discovery is an essential factor in risk mitigation and a control in assessing governance and compliance capabilities – before you can protect your data, you must be able to find it.”
The “data auditing” process allows organisations to identify and proactively react to vulnerabilities, he added.
Photo: Gerard Curtin, CEO of PixAlert