EC Looks To Impose Massive Data Breach Fines

[Jake Kouns <jkouns () opensecurityfoundation org>]

EC Looks To Impose Massive Data Breach Fines
http://www.eweekeurope.co.uk/news/ec-looks-to-impose-massive-data-breach-fines-48532

The European Commission is to demand the power to fine companies for
data breaches under new reforms

The European Commission (EC) is reportedly looking to introduce steep
fines for companies that breach data protection laws as part of a
proposed overhaul of privacy regulations.

The latest draft of the proposed changes would allow the EC to fine
larger companies up to five percent of their global turnover, which
could amount to billions of pounds for companies such as Google or
Facebook, according to reports by the Financial Times and Bloomberg.

Updated Regulation

The reforms would give the EC powers comparable to those it wields in
the area of competition, where it is able to fine companies up to 10
percent of their turnover for breaches. These powers have resulted in
massive fines for the likes of Microsoft and Intel.

Companies would be liable for customer data sold to third parties
without authorisation and data transferred to social networks or
cloud-based services. The new regulations would apply to the European
subsidiaries of organisations based outside the EU, forcing
multinationals to strengthen their data protection policies.

In a speech in Brussels on Tuesday, EU Justice Commissioner Viviane
Reding said the reforms are intended to be “an inspiration for changes
in the US and elsewhere.”

She specifically singled out US plans for a self-regulation regime for
companies that collect personal data, arguing that such a scheme “will
not be sufficient to achieve full interoperability between the EU and
US.”

The new rules would oblige companies to notify data protection
authorities within 24 hours in the case of a breach affecting private
data. By contrast, earlier this year RSA took two months to notify
authorities of a compromise that affected its SecurID tokens.Companies
with more than 250 employees would be required to employ dedicated
data protection staff.

The EC is looking to introduce the first significant update to its
data protection legislation since 1995, and is set to formally unveil
its proposals in January. The changes will also look to alter the way
social networks such as Facebook gather data about users.

The new measures will face approval by national governments, and then
must be implemented in national law, meaning it is likely to be at
least four years before the rules come into effect.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/