European Commission Introduces New Rules on Breach Notification by Telcos and ISPs
Since 2011, Telecos and ISPs have had a mandatory obligation under the e-Privacy Regulations 2011 (S.I. 336/2011) to notify national data protection authorities, and any individuals adversely affected, about breaches of personal data. However the 2011 Regulations do not prescribe specific timeframes for breach notification.
The new Regulation provides businesses with clarity on how to meet their existing breach notification obligations. Companies will be required to:
Notify the personal data breach to the competent national authority no later than 24 hours after detection of the breach, in order to maximise its confinement. If it is not feasible to make full disclosure within that period, an initial notification should be made within 24 hours, with the rest to follow within three days.
Annex 1 of the Regulation sets out the information to be contained in the notification to the competent national authority.
In assessing whether to notify individuals of the data breach incident companies should consider:
(a) the nature and content of the data compromised, in particular where the data concerns financial information, location data, internet log files, web browsing histories, email data, and itemised call lists;
(b) the likely consequences of the breach for the individual concerned; and
(c) whether the data has been stolen or is in the possession of an unauthorised third party.
Annex 2 of the Regulation sets out the information to be contained in the notification to the individuals adversely affected by the breach.
The Regulation has direct effect and will come into force on 25 August 2013.
For further information please contact Davinia Brennan at [email protected].
Link to article