Reports that the European Commission is planning a number of changes to its pan-European data breach legislation, including reporting a breach within 24 hours of its discovery – and if the rumours in the Financial Times and other media outlets are correct – dramatically increasing the penalties for data losses.
The imposition of a 24-hour rule is something of a game changer, as it will significantly raise the bar on data security within the EU membership area, making the subject a boardroom agenda item for many more companies.
As has been reported, in the US where data breach notification legislation is a lot more onerous than it is in Europe, the costs of remediating a breach are a lot higher. As a direct result, we have found that the issue is discussed a lot more amongst companies and, as a consequence, the profile of IT security generally seems to be far greater.
You can see this by the higher profile that IT security vendors have in the business mainstream in the US. The good news is that, as US products and services are priced similarly to those here in Europe, the relative cost – compared to remediating a data breach – are a lot les.
Rumours are also appearing in the press that the EU is looking to increase the maximum penalty for a data beach to five per cent of the organisation’s annual turnover.
If this widely-reported rumour is correct – and it almost certainly explains the recent batch of hefty fines imposed on a number of UK councils – then the new legislation really is something of a game changer, since it will push the topic of data security right up to the top of the boardroom agenda.
It is clear that there are changes planned on the EU data protection and penalties front – and that sales of IT security solutions will increase on the back of these changes. The danger is that some organisations may spend their IT security budgets on solutions that are not entirely suitable for their needs, rather than taking time to plan strategically.
There is a danger of a knee-jerk reaction in the IT security industry to the effects of the revamped data security legislation, so the message to the European Commission is one of a reasonable timescale being implemented, so as to avoid companies making the wrong decision when it comes to IT security.
That isn’t to suggest that the new legislation should not be implemented at all. What is needed here is a reasonable period of time before new laws are phased in, giving IT security professionals the chance to review – and then decide – what is the best course of action for their companies.
That way, when the new legislation passes into enforceable law, companies and their IT staff will be prepared for the new rules and penalties. As with all matters of an IT nature, however, planning is everything, so whilst we welcome the leaked plans for a 24-hour reporting requirement, this process really does need to be gradually phased in and not just implemented overnight.