Further to my last posting on breach notification, my attention has been drawn to a recent (22nd October 2009) draft text of the proposed Directive to amend the EC telecoms directives.
As an amendment to the existing Directive 2002/58/EC the new proposals would apply in the first instance only to public telecommunications networks and services. However, as expected, this draft calls for a wider breach notification law: “The interest of users in being notified is clearly not limited to the electronic communications sector, and therefore explicit, mandatory notification requirements applicable to all sectors should be introduced at Community level as a matter of priority” (recital 59).
The current proposals would require communications providers to notify their national regulator (presumably the Information Commissioner in the UK) whenever they suffer from a security breach that affects personal data. In addition the individuals affected should be informed where the breach could result “for example, [in] identity theft or fraud, physical harm, significant humiliation or damage to reputation” (Recital 61): the draft recognises that there may be circumstances where such misuse is unlikely and therefore notification unnecessary, for example if the personal information was encrypted (Article 2 4(c) on pages 74-76). Notifications should include information about what the provider has done to address the breach as well as what individuals may do themselves.
It has been argued that this in fact goes no further than current good practice in the UK, as contained in the Information Commissioner’s existing guidance on data security breach management and notification of data security breaches. It will be interesting to see what the UK implementation, required within 18 months of the Directive being finally published, makes of this.