European Commission In Favor Of Security Breach Requirements

The European Commission recently announced in a public consultation concerning the review of the EU telecom regulations that it favors adopting security breach notification requirements for network operators and electronic service providers, similar to the requirements contained in laws passed by more than 30 states in the U.S. in the last two years. If the Commission proposal finds acceptance within the broader political community, it could have important consequences for the communications sector, create important compliance issues and expose the sector to adverse publicity and associated liabilities. Analogous obligations may spill over to other business sectors, particularly to businesses that process sensitive personal information, such as, for instance, the banking and insurance industry, as well as the health-care sector.

The current EU Directive 2002/58 on privacy in the electronic communication sector (the E-Privacy Directive) imposes a notification requirement upon electronic communication service providers "in case of a particular risk of a breach of the security of the network […]" (Article 4 (2) of the E-Privacy Directive, stress added). An existing Directive does not directly require such service providers to notify of [or "in the event of"]  actual security breaches. The general EU Data Protection Directive 1995/46 does not contain a security breach notification obligation either, as it only sets forth only general technical and organizational security and confidentiality requirements.

The Commission believes that "a requirement to notify [individuals of] security breaches would create an incentive for providers to invest in security but without micro-managing their security policies." If the proposal becomes effective, network operators and electronic service providers will be required to: (i) notify the National Regulatory Agency (NRA) of any security breach resulting in the loss of personal data and/or that may cause the interruption of the services', and (ii) notify customers of any security breach leading to the loss, modification or destruction of, or unauthorized access to, personal customer data.

Corporations and stake-holders can participate in the public consultation until October 27, 2006 by sending their opinions or position papers to the European Commission.