Saturday, 15 January 2011

Excuse me – do you know about "your" data breach?

It won’t be too long before telecoms companies and internet service providers are faced with the prospect of dealing with mandatory breach notification rules. I only hope that these new rules don’t actually divert valuable management time and resources to dealing with the real issues – which relate to making sure that victims understand how committed the data controller is to limiting the damage which may be caused as a result of the breach, and ensuring that changes are made to the relevant processes to reduce the likelihood of such an unfortunate incident happening again.

A report by ENISA, the EU’s cyber-security agency, has just been published, which makes a number of recommendations. Perhaps the aim is to ensure that those same rules which would work in the telecoms sector could be rolled out to other sectors with relative ease in due course. Those who like to place a bet on the next sectors to face breach notification rule are tossing their Euros at the financial and the health care sectors and small businesses.

Yes I have read it. All 38 pages. And, for brevity, I’m going to reproduce below the summary produced by The Register which set out key concerns raised by telecom operators and DPAs interviewed by ENISA. They include:

• Risk Prioritisation – Interested parties want breaches categorised according to risk levels to avoid ‘notification fatigue’. Graded responses should be applied depending an the level of risk. A one size fits all approach would be counterproductive.
• Communication Channels – Operators wanted assurances that applying by breach notification rules and reporting slips would not result in damaging their brands. The concern is that those that report problems, in compliance with the rules, will be "punished" by earning a reputation for poor security while those that do nothing will avoid tarnishing their reputation.
• Resources - Several regulatory authorities have other priorities beyond the handling of breach notification and there were concerns this could lead to over-stretching of resources, leading to possible problems in enforcement and other areas.
• Reporting Delay - The report identified a split between service providers and regulators on deadlines for reporting breaches. Regulators want short deadlines whereas service providers wanted to be able to focus their resources on solving the problem, before they dealt with the regulatory fallout of any breach.
• Content of Notifications - Another area of disagreement. Operators want to make sure the notification content avoided unduly alarming customers, who might be inclined to think the worst about any breach. Regulators, meanwhile, advocated complete transparency.

The comments on the rules, from what I have seen, appear to concentrate on the “process” of notification. But let’s take a step back, first. If we’re not careful, we’ll end up wasting resources. Who really wants to create an overly bureaucratic machinery that is designed to ticks boxes, not cure the underling problem. We can all see where this is leading – to an avalanche of notifications to regulators who are powerless to react because they don’t have the resources (or possibly the inclination) to deal with each notification it gets.

What really interests me is in trying to understand what the point of notification is. Is it about creating a process, or is it about creating an atmosphere of empathy with the victim? Or is it to encourage data controllers to change their behaviours?

If notification is to achieve its purpose, then we have to understand what this purpose is.

Given the experience of the past 15 years, we can all appreciate what a waste of time routine notification of data processing purposes is to regulators. So why on earth is it thought that routine notification of breaches to regulators would serve any useful purpose?

If a data controller is to be punished for any failure to notify a regulator of a breach, then I think its incumbent upon the regulator first to explain what benefit will be derived from having reported the breach in the first place.

Perhaps this is where a new “Accountability” principle comes in. Perhaps data controllers should concentrate on discussing breaches and their consequences with the victims, rather than regulators. And, rather than liaising with the regulators as a matter of course, they should devote the vast majority of its resources to sorting out the current problem. And only inform the regulators about exceptional breaches, rather than run of the mill beaches.