Requiring ISPs and network operators to report security breaches ...
Requiring ISPs and network operators to report security breaches is a good idea but needs work, European data protection commissioners told the EC last week. The EC, now reviewing its e-communications regulatory framework, sought comments from the Article 29…
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Data Protection Working Party. Findings included: (1) Sectors with no reporting mandates could be seen as getting special treatment in relation to those that do. No recent U.S. security breaches involved ISPs, so the obligation to notify also should cover data brokers, banks and other online service providers and should distinguish among levels of breaches. (2) The EC working paper proposes distinguishing among providers of access infrastructure and providers of service, but the line is blurring. The working party urged the EC to investigate whether rules for processing personal data and protecting privacy in e-communications should be accentuated to prevent confusion over whom the rules are aimed at. (3) A proposal to extend and strengthen security provisions by merging privacy and universal access requirements risks sending the message that security “merely concerns networks, competition and network providers [but] it also regards protecting the fundamental right to privacy.” People must be able to use public e-services anonymously, the working party said. Any proposal to change authentication should be preceded by a thorough analysis of e-services accessibility. (4) It’s unclear how a recommendation to set new obligations on service providers to address security incidents, respect guidance by regulators and give consumers notice of actions to be taken in case of a security breach would add anything to existing law. Such requirements could, instead, boost burdens on service providers and regulators. The working party stressed that while it backs better security, “it does not support any measure that leads or might lead to more surveillance of content blocking.” The working party “is throwing the baby out with the bath water,” said telecom lawyer Axel Spies: Notifying the public about a breach can damage a company’s reputation, and it may not even be clear why the breach happened and who was affected. Notification raises “complicated liability questions and, in any event, doesn’t cure the breach,” he said. Spies questioned how an ISP whose site is visited by thousands daily reasonably can be expected to give notice. Many nations, moreover, already require notice of breaches to regulators, he said.