1. Home
  2. |Insights
  3. |European Commission In Favor Of Security Breach Requirements

European Commission In Favor Of Security Breach Requirements

Client Alert | 1 min read | 09.15.06

The European Commission recently announced in a public consultation concerning the review of the EU telecom regulations that it favors adopting security breach notification requirements for network operators and electronic service providers, similar to the requirements contained in laws passed by more than 30 states in the U.S. in the last two years. If the Commission proposal finds acceptance within the broader political community, it could have important consequences for the communications sector, create important compliance issues and expose the sector to adverse publicity and associated liabilities. Analogous obligations may spill over to other business sectors, particularly to businesses that process sensitive personal information, such as, for instance, the banking and insurance industry, as well as the health-care sector.

The current EU Directive 2002/58 on privacy in the electronic communication sector (the E-Privacy Directive) imposes a notification requirement upon electronic communication service providers "in case of a particular risk of a breach of the security of the network […]" (Article 4 (2) of the E-Privacy Directive, stress added). An existing Directive does not directly require such service providers to notify of [or "in the event of"]  actual security breaches. The general EU Data Protection Directive 1995/46 does not contain a security breach notification obligation either, as it only sets forth only general technical and organizational security and confidentiality requirements.

The Commission believes that "a requirement to notify [individuals of] security breaches would create an incentive for providers to invest in security but without micro-managing their security policies." If the proposal becomes effective, network operators and electronic service providers will be required to: (i) notify the National Regulatory Agency (NRA) of any security breach resulting in the loss of personal data and/or that may cause the interruption of the services', and (ii) notify customers of any security breach leading to the loss, modification or destruction of, or unauthorized access to, personal customer data.

Corporations and stake-holders can participate in the public consultation until October 27, 2006 by sending their opinions or position papers to the European Commission.

Insights

Client Alert | 6 min read | 03.26.24

California Office of Health Care Affordability Notice Requirement for Material Change Transactions Closing on or After April 1, 2024

Starting next week, on April 1st, health care entities in California closing “material change transactions” will be required to notify California’s new Office of Health Care Affordability (“OHCA”) and potentially undergo an extensive review process prior to closing. The new review process will impact a broad range of providers, payers, delivery systems, and pharmacy benefit managers with either a current California footprint or a plan to expand into the California market. While health care service plans in California are already subject to an extensive transaction approval process by the Department of Managed Health Care, other health care entities in California have not been required to file notices of transactions historically, and so the notice requirement will have a significant impact on how health care entities need to structure and close deals in California, and the timing on which closing is permitted to occur....