Sunday, 22 January 2012

EU breach reporting guidelines? They might be on their way

Work is continuing, behind the scenes, to develop better guidelines for European data controllers on managing and reporting security breaches. Sponsored by ENISA, the European Network and Information Security Agency, a group of regulators have been working with a very select handful of industry representatives to develop something that might make sense to the wider data protection community.

What has hit home is the fact that the vague breach notification obligations, as set out in the ePrivacy Directive, have been implemented (when at all) in a very patch manner. I was told that, last October, just12 Member States, for example, had actually implemented the security breach notification requirements, yet they were all supposed to have done so by last May.

What is actually meant by the obligation to report a breach “without undue delay”? How long is that? If you’re Greek, it’s apparently a period of 12 days. If you’re Irish it’s 2 days, and if you’re Hungarian its 24 hours. And how do we resolve the conflict which arises when, on the one hand, there is an obligation to report a breach, but on the other hand, data controllers have rights under Article 6 of the European Convention on Human Rights concerning self-incrimination. And, what is the point of reporting losses relating to encrypted information, if it’s evident that no harm will arise to anyone as a consequence of the loss?

What is meant by a minor breach? What rules apply if you’re unfortunate to incur a cross border breach? And should ENISA really be publishing breach notification guidelines without closely consulting the data controllers who were already subject to the ePrivacy breach notification regime, just to make sure that they hadn’t missed anything?

What’s happened so far is that the ENISA working party has created a substantial draft (currently some 64 pages long) which tries to address the issues. Let’s give credit where credit’s due. The participants have a good idea of what’s required, and what needs to be done. An initial workshop, held on 24 January 2011 (yes, a year ago), listed the following:

• Lack of a unified approach towards data breach notifications among sectors and among Member States
• Different understanding of the nature of a data breach
• Lack of guidelines, best practices, common formats of notifications
• Lack of guidelines on effective technical measures for protection of data
• Lack of guidelines on follow-up actions after notification
• Economics of notifications
• Cases of exemption from notification

And they have set themselves a challenging target to create a text that will really add value to the current knowledge base. Constructive discussions continue (but I won’t be playing any active part in these discussions – at least not until I leave my current job and am invited to join in and play by someone else).

A lot of what I’ve read is really good stuff. There are sections, though, that need more work. The section that probably needs the greatest amount of work is the section which offers guidance on how a data controller assesses the impact of a personal data breach. When I say the greatest amount of work, it is evident that the current text has been crafted by one of the greatest mathematical minds the European data protection community has ever had the privilege of working with it. It’s so brilliantly conceived that it’s gone straight over my head. And, even though statistics was a component part of my University degree, I really don’t think that this section of the guidance resonates very well among those of us who have normal mathematical minds.

Today’s illustration, believe it or not, is the formula which is proposed to assess the impact / severity of a detected personal data breach, when various sets of criteria, as well as their consequences on four impact areas, are fully taken into account. The mathematical minds have even devised two possible approaches on how to perform the impact / severity assessment of the personal data breach. They also offer guidance about how to flex the formula : “For the ease of the assessment, the competent authorities can provide a calculator of the severity of the breach, taking into account all circumstances and their own ways of calculations. For specific cases, the data controller could adjust the result obtained from the calculator by one grade (up or down).”

What does this really mean? That we should rejoice – since we data protection professionals will have jobs for ever as we blind colleagues within our businesses with such science? Teams of highly paid boffins will probably have to tour the European Community, explaining this stuff to the likes of you and me. And they may need to explain it several times before it all sinks in.

Actually, no. This can’t be the right approach. We need simpler ways of assessing the likelihood of harm to an individual. We’ve got to have Homer Simpson in our minds as we develop understandable rules and calculations. Not Albert Einstein. Do I have any ideas? Yes, I have oodles of ideas, but they’re not for dissemination in a blog like this. If you’re that interested in my ideas, speak to me privately, later.

That’s enough on data breach management for today. Those who feel particularly inspired in this subject can see me presenting my ideas with the amazing Jeanette Fitzgerald, SVP and General Counsel of Epsilon, at a DataGuidance breach notification event at the London offices of Bird & Bird on Thursday 26 January. Jeanette and I do not see entirely eye to eye on such matters, so it will be a great opportunity to appreciate how the same issues can be handled differently by an American or an English data controller. Expect arguments – and laughter – as we share our passion with anyone who’s sufficiently interested.

I must thank those good folk at ENISA for their commitment to transparency by creating and circulating a draft document that has no protective security markings, so it is only fair to assume that it is not a confidential document. I’m sure they’ll let you have a copy of their latest draft if you ask them nicely.