"Where this cannot achieved within 24 hours, an explanation of the reasons for the delay should accompany the notification. The individuals whose personal data could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions."
For those of us who are familiar with dealing with a difficult security breach, having to contact a regulator in that massively important, golden 24 hours would be an unnecessary and unwarranted distraction.
Even though companies such as Sony and RSA have recently been lambasted for not reporting breaches soon enough, many have suggested the rule is too strict and could result in poor reporting of incidents.
"It's not helpful to specify a strict time in the way they've done," Stewart Room, partner in Field Fisher Waterhouse's technology law group, told IT Pro. "The regime that we have for telcos and ISPs, of reporting without undue delay, would be the right regime.
"For those of us who are familiar with dealing with a difficult security breach, having to contact a regulator in that massively important, golden 24 hours would be an unnecessary and unwarranted distraction. What may happen, rather than focusing totally on remedial action, the unfortunate organisation that suffers a breach is going to be focusing more on regulatory action."
Containment, mitigation and recovery should be on companies' minds after a breach occurs, Room added.
Others have suggested the 24-hour rule will lead to inaccurate reporting of data breaches, leading either to over or understated reactions.
ICO boost?
The new EU rules could favour the UK's data protection watchdog, the Information Commissioner's Office (ICO), which has been asking for greater enforcement powers, even after it was given the ability to fine companies up to 500,000.
The EC wants to "further enhance the independence and powers of national data protection authorities (DPAs) to enable them to carry out investigations, take binding decisions and impose effective and dissuasive sanctions, and oblige Member States to provide them with sufficient resources to do so."
It would like to see DPAs allowed to fine companies as much as 1 million or up to two per cent of the global annual turnover of a company.
"I would have thought all the data protection regulators are going to be made up it's like Christmas for them," Room said.
"It's very clear who the winners are - data protection regulators, data protection lawyers, data protection consultants and data protection officers. What's less clear is how do data subjects, controllers and processors win."
-
M&S suspends online sales as 'cyber incident' continuesNews Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
-
Manners cost nothing, unless you’re using ChatGPTOpinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
Forcing Apple to allow alternative app stores might cause major security risksAnalysis Apple will be forced to allow third-party marketplaces on its devices, but some experts have raised serious security concerns
