At present only public telecommunications providers are required by European law to notify their customers of security breaches affecting their privacy, including breaches that the confidentiality, integrity or availability of personal data. In the UK the Information Commissioner has published recommendations on handling privacy breaches, including when to notify those affected. Requirements to notify privacy breaches are, however, contained in a number of draft laws currently being discussed by the European Parliament and Council, including the draft Network and Information Security Directive, draft eSignatures Directive and the draft Data Protection Regulation.
The formal effect of the Article 29 Working Party’s new Opinion on Personal Data Breach Notification will depend on the outcome of those legislative discussions. However its discussions of various breach scenarios are already useful in identifying the kinds of impact a breach may have and, in particular, the sorts of technical and organisational safeguards that organisations can put in place to reduce those impacts. According to the working party, these include
- Data Minimisation
- Pseudonymisation
- Least Privilege
- Awareness Raising
- Vulnerability Management
- Code Review
- Encryption (provided state of the art algorithms are used and keys kept secure)
- Salted, hashed password storage
- Shredding (and other forms of secure disposal)
- Backups
- Incident Response
None of these should be unexpected but it’s helpful to have them all recognised as contributing to privacy protection. The wide range of the measures also highlights the need for organisations to use a variety of tools, chosen to provide a consistent level of privacy protection. Relying on a single tool, or a single part of the organisation, is likely to leave information open to other types of attack.