Feeds

Steelie Neelie eyeballs ENCRYPTION PLAN for telco data breaches

That way you won't need to tell subscribers you've lost their stuff - EU veep

Internet Security Threat Report 2014

Telcos in Europe are being asked to consider encrypting their subscribers' personal information as Brussels confirmed new rules on Monday about the industry's obligation to notify customers about data breaches.

The European Union's unelected digital czar, “Steelie” Neelie Kroes, said that if ISPs agreed to shield the data with difficult-to-crack code then companies would not be required to tell the subscriber when a breach of their data has occurred.

Under the measures - which are separate from the European Commission's proposed rejig of the EU's data protection laws - Brussels' officials said they had clarified a general obligation for telcos to inform national watchdogs about an information breach, which has been in place since 2011.

It told telecoms outfits across the 27 members' state bloc to:

  • ■ Inform the competent national authority of the incident within 24 hours after detection of the breach, in order to maximise its confinement. If full disclosure is not possible within that period, they should provide an initial set of information within 24 hours, with the rest to follow within three days.

  • ■ Outline which pieces of information are affected and what measures have been or will be applied by the company.

  • ■ In assessing whether to notify subscribers (ie, by applying the test of whether the breach is likely to adversely affect personal data or privacy), companies should pay attention to the type of data compromised, particularly, in the context of the telecoms sector, financial information, location data, internet log files, web browsing histories, e-mail data, and itemised call lists.

  • ■ Make use of a standardised format (for example an online form that is the same in all EU Member States) for notifying the competent national authority.

The EC said it would be publishing "an indicative list of technological protection measures, such as encryption techniques, which would render the data unintelligible to any person not authorised to see it."

By encrypting the data, the Commission said the "burden" of companies having to inform national authorities about a breach would be lifted, because the subscriber's personal data would apparently be safeguarded.

"Consumers need to know when their personal data has been compromised, so that they can take remedial action if needed, and businesses need simplicity. These new practical measures provide that level playing field," said Kroes.

The new rules have already winged their way through the European Parliament and the European Council, so the regulation does not need to be transposed into national legislation. The Commission added that it will come into force two months after publication in the Official Journal of the European Union.

ISPs in the UK might look on at Kroes' suggestion of encryption with interest, given the current palaver about spooks' internet surveillance in light of PRISM; not to mention the Home Secretary's torpedoed Communications Data Bill, which permitted the security services and the police to access sensitive subscriber data at will. ®

Beginner's guide to SSL certificates

More from The Register

next story
Same old iPad? NO. The new 'soft SIMs' are BIG NEWS
AppleSIM 'ware to allow quick switch of carriers
Arab States make play for greater government control of the internet
Nerds told to get lost in last-minute power grab bid at UN meeting
Brits: Google, can you scrape 60k pages from web, pleeease
Hey, c'mon Choc Factory, it's our 'right to be forgotten'
Of COURSE Stephen Elop's to blame for Nokia woes, says author
'Google did have some unique propositions for Nokia'
It's even GRIMMER up North after MEGA SKY BROADBAND OUTAGE
By 'eck! Eccles cake production thrown into jeopardy
Mobile coverage on trains really is pants
You thought it was just *insert your provider here*, but now we have numbers
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.