WHEN SHOULD A company notify you of a security issue with your information?
Just last week a ‘security vulnerability’ was discovered at Eir, meaning thousands of customers were at risk of a cyber attack because of a fault with older modems that Eir supplies.
A week after they became aware of the vulnerability, Eir tested the lines and discovered at least 2,000 devices had been breached by a third party.
In response to the security vulnerability, the company said it would contact 130,000 customers to advise them to reset their modems and to set new passwords for their devices.
They also have been notifying the Office of the Data Protection Commissioner (ODPC), the Communications Regulator (ComReg) and the Department of Communications since 22 November.
It’s still unclear if anyone’s data had been stolen (or breached) in this case, but it does raise questions around the obligations to citizens around their data – and when they should be told that there is a potential risk.
So what are the laws around data protection measures once a risk has been found?
Legislation
Data Protection consultant with the Irish Computer Society Lanre Oluwatona explains the laws as they currently stand:
“Most organisations are only required to report a data breach to the Data Protection Commissioner in the event of the discovery of one. A security vulnerability may or may not necessarily result in a data breach.”
However, according to one section of the “eprivacy” regulation. telecoms service providers must notify customers “without delay” if there is even a “risk” of a data breach.
On 4 May of this year, an EU directive was accepted that would give citizens back control over of their personal data, and to simplify the regulatory environment for business.
The new rules will apply from 25 May 2018, giving companies a chance to adapt to the new rule, and EU Member States are to transpose it into their national law by then.
“The General Data Protection Regulation would require organisations to report a data breach within 72 hours of becoming aware of it,” says Oluwatona.
He continues by saying that customers at risk of a cyber attack are also required to be notified without delay “where there is a high risk to the fundamental rights and freedoms”.
In this case ‘high risk’ means an individual’s right to a private life as defined in the European Convention on Human Rights.
This is described as:
breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned…
It is worth noting that a failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
The consequences
These new rules will give the Data Protection Commissioner extra powers to punish companies who don’t conform to the rules – which includes heavy fines.
In addition to these fines, organisations would also be required to proactively adopt privacy during product design and development under a new concept known as ‘privacy by design’.
“Privacy by design and the minimisation of data have always been implicit requirements of the data protection principles. However, the GDPR enshrines both the principle of ‘privacy by design’ and the principle of ‘privacy by default’ in law.
“This means that service settings must be automatically privacy friendly, and requires that the development of services and products takes account of privacy considerations from the outset as opposed to privacy being an afterthought.
“Privacy under GDPR is proactive rather than reactive.”
These rules would have the dual aim of forcing companies to comply with more stringent regulations around awareness, as well as giving individuals a surer idea of whether everything was done to protect their privacy as quickly as possible.
To embed this post, copy the code below on your site
have your say