Friday 7 October 2011

Depressing ways of implementing EC breach notification laws

Yesterday’s webinar run by the law firm Hunton & Williams on how various Member States were implementing EC personal data breach notification requirements left me so depressed that I ate an entire packet of Hotel Chocolat's Boozy Combo immediately afterwards to cheer me up. If you haven't tried their Boozy Combo, and quite like the concept of eating chocolate flavoured with whiskey, rum and Poire William, then you're in for a treat.

Why was I so depressed? Because I was presented with a narrative which made it clear that laws had been passed without a complete understanding of what their effects were going to be. In this case, European companies are faced with a bizarre set of breach notification requirements, for no obvious purpose.

It's understandable why there should be some types of breach notification requirements in the US. After all, if there isn't a basic federal law requiring all data controllers to put in place steps to ensure the adequate security of personal data, then it's clear that there should be an incentive not to make mistakes - such a breach notification requirement. But why should this necessarily be the case in the EC?

The data protection directive has already set a standard, requiring data controllers to take adequate care of personal data. Will breach notification measures really encourage data controllers to "up their game"? I don't think that behaviours will necessarily change. Especially with regard to those data breaches which involve simple human errors and affect just one or two victims. It's hard to put in place technical controls that provide cast iron guarantees that individuals won't make simple mistakes when dealing with individual data records. It's much easier to put in place technical controls that encrypt large volumes of information that is transported from one place or another.

I was also depressed because I had just declined an invitation to consider applying to join an expert group set up by the European Network and Information Security Agency. This expert group has been tasked with creating recommendations for technical guidelines for the implementation of compulsory personal data breach notification requirements by communication and internet service providers.

But why do we need technical guidance on a common breach notification format if it is wholly unclear whether regulators in each of the EC member states were going to adopt a common approach to the breach notifications that they'll be sent? Why expect people to fill in the same form if, in some states, it will be thrown straight in the bin? And in others, only a cursory glance will be given to it as the staff in that office are too busy working on more important issues?

Another reason for my not wanting to join the group was that the experts were only scheduled to meet once or twice more, and none of the people I knew to be members of that group of experts were people who were employed by communication or internet service providers. The final draft is scheduled to be presented to those who commissioned it at the end of this month. Critics may well argue that the standard will appear to have been created by no expert who had any practical experience of trying to determine whether the security incidents they were actually experiencing met the various statutory and regulatory definitions of personal data security breaches.

So why should I join a group solely comprised of people involved in regulating and enforcing, rather than implementing, these issues? If they didn't need the experience of practitioners when they started work to develop this common reporting and response format, would I simply have been there for a spot of window dressing at the end?

If I had been invited to participate at the commencement of the expert group, I expect that I would have pointed out the absurdity of expecting large numbers of data controllers to promptly notify regulators of the most minor of breaches. I would have urged a harm-based approach with thresholds that were sufficiently high to ensure that regulators would take notice of the incident, once they had received a report. So I can understand why I wasn't invited earlier.

But, to be honest, I would not really have wanted to have helped to devise a way of implementing a concept that was so flawed in the way it was originally drafted.