Technology Security
Business Issues Channels Enterprise Services SME Technology
Module Header
Craig WentworthMWD Advisors
Craig Wentworth
16th April - Egnyte the blue touchpaper...
Louella FernandesLouella Fernandes
Louella Fernandes
11th April - Managed Print Services: Are SMBs Ready?
Louella FernandesLouella Fernandes
Louella Fernandes
11th April - The Managed Print Services (MPS) Opportunity for SMBs
Simon HollowayThe Holloway Angle
Simon Holloway
11th April - Intellinote - capture anything!
David NorfolkThe Norfolk Punt
David Norfolk
11th April - On the road to Morocco


Security breach legislation—Europeans, you are not immune
Fran Howarth By: Fran Howarth, Practice Leader, Bloor Research
Published: 15th October 2009
Copyright Bloor Research © 2009
Logo for Bloor Research

There are no overarching security breach regulations in Europe, right? To some extent, no. At an EU level, amendments were made to the ePrivacy Directive in May 2009 that made breach notification compulsory for internet service providers and network operators in the case of personally identifiable information about customers is lost or stolen.

So where does that leave organisations operating in other sectors? Can they afford to rest on their laurels? Certainly not. In the absence of specific laws related to security breach notification—such as SB 1386, which was the first such law put in place by the state of California and which has led to similar legislation being enacted in the majority of US states—European countries are beginning to use existing data protection laws to punish offenders.

Germany is the first EU member state to add new requirements to its existing legislation that are specifically focused on security breach notification. Already perhaps the most stringent interpretation of the EU's 1995 data protection directive, the German Federal Data Protection Act was amended in 2009 to introduce mandatory security breach notification where data is lost and that loss is likely to have a serious impact on the rights of the individual concerned. It also introduces new powers for data protection authorities to order organisations to remediate compliance failures and increases the fines and sanctions that can be imposed for non-compliance.

The UK is one country that, whilst it has not actually amended its data protection legislation, is increasingly using its powers to take enforcement action against private sector organisations and government agencies to force higher standards of data security where lapses have occurred. It is using the seventh data protection principle—which states that all data processing must be undertaken in a secure environment, including preventative measures to ensure that data is not accidentally lost, stolen or destroyed—to force bodies that have suffered data breaches to sign an undertaking that they will ensure compliance and that data is adequately protected from such breaches of security. Since end-2007, some 100 organisations and government bodies have been forced to sign such undertakings.

With laws and regulations changing and with new ones coming into force more and more regularly, the ability to keep up with the obligations that your organisations face is becoming an increasingly onerous task.

This is a synopsis of the first in a series of articles related to data security and compliance, commissioned by Tabaq Software. The full text of the article can be accessed here: The legal minefield for data protection.


Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761