Security breaches overview

07 February 2007

Patrick Camerer Cuss

The UK

When must you disclose?

To whom must you disclose?

Does National Law state what “appropriate Security Measures” are?

Response of the Member State to the Commission’s Proposal

When “there remains a significant risk to the security of the public electronic communications service”.

Privacy and Electronic Communications Regulations

Guidance from the Information Commissioner’s office suggests that ISP and Network Operators should disclose to the subscriber not to all users of the service.

There is currently no obligation to disclose to the Information Commissioner’s office.

No.

The UK government argued that appropriate levels of security can be achieved through co-operation with industry and by educating end-users.

Furthermore the UK argued that the obligation to notify customers of security breaches should only be in relation to security breaches that result in personal data being disclosed.



Spain

When must you disclose?

To whom must you disclose?

Does National Law state what “appropriate Security Measures” are?

Response of the Member State to the Commission’s Proposal

If a particular risk arises threatening the security of the public network of electronic communications, the operator exploiting such network or providing the electronic communications service shall inform its customers about the risk and the measures that should be implemented.

Article 34 of the Telecommunications Act

To customers. However, the legislation does not specify if “customers” mean all the customers of these operators or only those customers affected by the risk.

Yes, there are different security measures depending on what the data is.

All data files must implement a basic level of security measures which, among other things must include the adoption of a “Security Document” that contains a summary of all the applicable security measures.

Other types of data have more stringent measures, which may include an audit of compliance with the Security Document.

For data files that contain information that is sensitive personal data, that information should be encrypted.

Spain affirmed that the most important objective of the new legal framework is to try to ensure effective protection of consumers and also to ensure access to essential services. Additionally Spain considers that it is important to increase the transparency between operators and consumers, and also to specify the security measures that operators shall implement in order to improve the current situation.


Italy

When must you disclose?

To whom must you disclose?

Does National Law state what “appropriate Security Measures” are?

Response of the Member State to the Commission’s Proposal

Where there is a particular risk of a breach of network security.

Section 32 (3) of the Data Protection Code

Subscribers and, if possible, users

Additionally where the risk lies outside the scope of the standard technological measures set out in the Data Protection Code, you must also inform the Italian Data Protection Authority and the Authority for Communication Safeguards.

Yes.

Annex B to the Italian Data Protection Code sets out minimum security measures

These include having an up to date security document, and ensuring that there are procedures for protecting the security of the data. In some cases encryption is necessary.

The Italian Data Protection Authority has not commented on the Commission’s proposal



Sweden

When must you disclose?

To whom must you disclose?

Does National Law state what “appropriate Security Measures” are?

Response of the Member State to the Commission’s Proposal

Where there is a particular risk of inadequate protection of the data processed.

Section 4 - Swedish Electronic Communications Act

Subscribers

No

The Swedish government’s view is that rather than drafting additional principles on the protection of personal data, the operators and ISPs should be required to ensure security and confidentiality on a general level.

The government went further to say that the notification requirement should not be limited to integrity-related incidents, but should also include an obligation to provide information about important service outages and other interruptions. Regarding the requirement to notify the national regulatory authority, the Swedish government’s view is that only serious incidents should be reported


The Netherlands

When must you disclose?

To whom must you disclose?

Does National Law state what “appropriate Security Measures” are?

Response of the Member State to the Commission’s Proposal

When there are “special risks” to the security of their data. Special risks are those risks that fall outside the remit of the provider’s duty to protect their subscribers

Dutch Telecommunications Act

Subscribers

No

The Dutch government agrees that there should be notification to both clients and to the national regulatory authorities after all security breaches. The national security advisors can then in turn inform the general public. The Dutch government's view is that it is not always appropriate to notify security breaches to all.


Germany

When must you disclose?

To whom must you disclose?

Does National Law state what “appropriate Security Measures” are?

Response of the Member State to the Commission’s Proposal

When there remains a particular risk to the network security

Section 93 (2) of the Telecommunications Act

Subscribers (not all users of the service)

No

The German response to the Commission’s proposal is not yet publicly available.



France

When must you disclose?

To whom must you disclose?

Does National Law state what “appropriate Security Measures” are?

Response of the Member State to the Commission’s Proposal

Where there is a particular risk of breach of the security of the public communications network

French Postal and Electronic Communications Code

Subscribers (it is unclear whether this includes all users of the service).

No

The French authorities welcomed the comments of the commission.

Its view was that it is essential for appropriate national authorities to be able to decide additional measures, particularly on the basis of the level of risk. France believes that liability in the event of an infringement of security obligations should remain a national law issue.