Telecom Operators Must Report Security Breaches
At the moment Dutch companies are not obliged yet to report
security breaches. But since 2007, a duty for telecom operators to
report security breaches has been a topic for discussion in Europe,
following the United States. This duty to report now became reality
on 6 May 2009. In this article we will pay attention to the duty to
report security breaches as will apply within the Netherlands in
the near future (most probably from August 2010).
Developments within Institutional Europe
At a European level the duty to report and the introduction thereof
in the event of security breaches are being discussed already for
some time. The duty to report is part of the amendments to the
e-Privacy Directive. In September 2008 the European Parliament
voted on the proposal to amend the e-Privacy Directive and thus
also the contents of the duty to report. However, the European
Parliament presented its own (155!) amendments to the proposed duty
to report. Subsequently, in November 2008 the European Commission
submitted an adapted version of the proposed amendment to the
European Parliament. On 6 May 2009 the European Parliament gave the
green light. Now the only thing missing is the approval of the
Council of Telecom Ministers.
The Reasons for a Duty to Report
The most important reason to introduce the duty to report is that
by means of this duty end users of publicly available electronic
communication services are informed about security breaches that
result in the loss or the compromising of their personal data. The
end users are also informed about available/advisable precautions
that they may take in order to minimize potential economic losses
or social damage as a consequence of security breaches. Finally,
the end-users may claim damages if they suffer damage as a
consequence of the breaches.
Furthermore, the duty to report may be an incentive for
companies to pay more attention to the security of (personal) data
and to improve these security measures. Experiences in the United
States and the United Kingdom show that companies are so
'afraid' of damage to their image that more attention is
indeed paid to the data security if a duty to report applies.
The Form of the Duty to Report
a. Who Must Report?
With the proposed amendment of the e-Privacy Directive the European
Commission introduces a duty to report for providers of publicly
available electronic communication services.
b. To Whom Must be Reported?
The providers of publicly available electronic communication
services must, on the one hand, notify the national regulatory
institution (or the institution authorized in accordance with the
law of the Member State) about the security breach. On the other
hand, the subscribers or the persons concerned who are the victim
of the breach should also be notified of a security breach without
delay.
The notification to subscribers or individual persons is not
required when the providers have shown to the authorized
institution's satisfaction that (a) there is only a small
chance that consumer rights and consumer interests are damaged by
the breach of the personal data or (b) appropriate technical
protection measures have been taken and these measures have been
applied to the data involved in the security breach. These
protection measures must make the data incomprehensible for any
person who is not authorized to access these data.
c. Basis of the Report
By virtue of the proposal the following security breaches must be
reported: security breaches leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of or access
to personal data, transmitted, stored or otherwise processed in
connection with the provision of publicly available electronic
communication services in the Community. The Commission no longer
puts first and foremost that the duty to report applies only if the
security breach will probably lead to damage for the users, but in
consideration 29 of the proposal it is emphasized that the duty to
report applies especially in cases in which the rights and
interests of consumers are endangered (such as cases of
unauthorized access to e-mail contents or to credit card
information).
d. Contents of the Report
The providers of a publicly available electronic communication
service must therefore promptly report the security breach to the
national regulatory institution (or the authorized institution in
accordance with the law of the Member State) and to the subscribers
or the persons concerned who are the victim of the breach.
In the notification to the subscribers or persons concerned a
provider of a publicly available communication service must at
least describe the nature of the breach as well as the point of
contact where the data subjects can obtain more information, and
must propose measures in order to mitigate the negative effects, if
any, of the breach of the personal data. There is not only a duty
to report towards the subscribers or persons concerned, but the
authorized institution must also be informed without delay of the
same breach. In addition to the above-mentioned information, in
this notification the provider must also provide a description of
the consequences of the breach for the personal data and of the
measures taken or proposed by the provider to tackle the
breach.
e. Procedure
By virtue of the proposed amendment of the European Commission, the
Member States must ensure that the authorized national institution
can determine detailed rules and, if necessary, issue guidelines on
the format in which the notification must be given as well as the
manner in which the notification must be made. This entails the
risk that the various Member States will give substance to the
procedural aspects of the duty to report in different ways. Taking
this objection into account, the European Commission - after
consultation of the EDPS and the Article 29 Working Party
interested parties and the European Networks and Information
Security Agency - may determine technical execution measures in
connection with the information and notification requirements
referred to.
f. Enforcement
The proposed amendment of the European Commission contains no
penalty as sanction for companies that do not comply with the duty
to report. Also, the European Parliament has not proposed to
include a power to impose a penalty. Nevertheless, the penalty
seems to be an efficient instrument to force businesses to comply
with the duty to report. And finally, should not the penalty and
the accompanying damage to their image induce businesses to
implement a higher level of security. It is therefore not clear to
us why the European Commission has not opted to still include a
power to impose a penalty. Or do the European Commission and the
European Parliament deem the risk of damage to the image to be
already sufficient to induce telecom operators to pay more
attention to the level of security?
Recent Developments in the Netherlands
In the Netherlands there are also discussions about whether
organizations should be obliged to report cases of data loss or
security breaches. On the one hand, the reason for these
discussions are the many data breaches cases known from abroad. But
on the other hand, the pending introduction of the duty to report -
in accordance with the amendment of the e-Privacy Directive - is a
reason to look at the duty to report in more detail. For that
purpose, in a letter to the Lower House of Parliament dated 10 July
2008, the Minister of the Interior and Kingdom Relations has
announced an investigation into the ins and outs of the duty to
report. The investigation report was published on 27 April 2009 and
provides an overview of the reporting systems already known now.
The investigation report also discusses the developments at a
European level, but does not reveal a preference for a particular
reporting system.
Conclusion
Above we have described the coming duty to report for telecom
operators. In practice, the consequence of this duty to report is
that telecom operators must carefully evaluate the security
measures that they have implemented and will have to ask themselves
whether the security measures are sufficiently adequate to minimize
the risk of security breaches. After all, the risk of damage to the
image and negative publicity in the event of security breaches will
be too large once the duty to report becomes reality.