The EU data breach Directive reminds us that it's about respecting customers not just ticking boxes.

Author:Efraim, Shaul

It's not often that a single speech has the power to reshape the computing industry, but EU Justice Commissioner Viviane Reding's confirmation in a January 2012 address that the European Commission is planning a raft of new directives on data security will come to be seen as an important turning point.

The Directive includes a number of tough new provisions on data handling, but the element that will give security professionals the most immediate anxiety is the insistence that organizations doing business in the 27-nation EU zone inform national information commissioners of data breaches affecting consumers or citizens within 24 hours, or risk heavy fines for not doing so.

This is a radical jump. Having been under little or no obligation to formally disclose a data breach in most EU countries, companies will suddenly be required not only to inform the authorities but do so in some detail on an accelerated timescale. Moreover, the change will affect not only companies in the EU but those doing business in it, making the Directive the first de facto global data breach law.

Informing the authorities that a breach has been discovered sounds straightforward but is anything but. Assuming administrators have evidence that something has gone awry do they have the tools to say precisely what without delay? What sort of reporting systems do they have to explain the extent of a breach? Do possible security failures have any regulatory and legal consequences and if so, what?

A major consequence of this development is that old-fashioned periodic, manual security audits and the manual configuration processes that underlie them should be viewed heading for obsolescence.

Currently, security is often measured for regulatory and compliance purposes through an external audit that takes place quarterly or annually, depending on the business sector. Some organizations also perform more regular internal checks, but the design of these is open to interpretation and their frequency varies from organization to organization.

The reality of the data breach Directive is that administrators could be asked to audit their security stance at any moment in time as a breach is uncovered, with only a few hours notice. Referring back to an audit possibly months or weeks in the past will be useless; CISOs will require an overview of security policies, compliance and data protection that reflects what is happening at the moment the request is made.

This makes complete sense - can any company...

To continue reading