EDPS Seminar: Responding to data breaches
This article is also available in:
Deutsch: [Seminar des Europäischen Datenschutzbeauftragten: Reaktion auf Datenverletzungen | http://www.unwatched.org/node/1590]
On 23 October 2009 the European Data Protection Supervisor (EDPS) and the
European Network and Information Security Agency (ENISA) organised a seminar
on security breaches. The three sessions focussed on the prevention, the
management and the reporting of data breaches.
Background of this seminar was the upcoming reform of the ePrivacy directive
(2002/58), which requires telecommunication providers to inform on security
breaches related to personal data. EDRi was invited to present its positions
on this topic.
From a data subjects point of view data breach notifications are not only an
important instrument to mitigate the risk of identity theft or other
criminal uses of leaked data. Since an active identity management is
becoming more and more important in the information society (everybody does
some kind of “identity management” by e.g. keeping private and professional
information separated) it also is increasingly important to know who has
access to which personal information and which information became public –
either on purpose or by accidental security breaches.
Data breaches therefore cause not only financial risks but also a risk to
ones identity management and – as the German Constitutional Court defined it
about 25 years ago – ones right to informational self determination.
Therefore several safeguards are necessary to mitigate the risks for data
breaches to occur. Data controllers should conduct risk assessments to
identify potential threats to the data they process and the potential
negative effects such a breach would cause not only for the controllers but
also for the data subjects. Based on this assessment they should improve
data security by technical and organisational measures and especially by
focusing on data minimisation and the use of privacy enhancing technologies.
Based on the risk assessment guidelines should be developed on how to
respond to data breaches as a data controller but also as a data subject.
This helps to ensure, that data controllers and affected individuals can
effectively respond to a given data breach event and have all the
information at hand, that is needed to minimise negative effects.
Mandatory data breach notifications for telecommunication providers are an
important first step to address an important problem. Similar obligations
need to be implemented soon for all other sectors – public and private – and
businesses.
Stakeholders discuss how to respond to data breaches at EDPS-ENISA seminar
(26.10.2009)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/PressNews/Press/2009/EDPS-2009-12_Data_breach_seminar_EN.pdf
Data breach notification: Requirements from a Civil society perspective
(23.10.2009)
http://www.edri.org/docs/Krisch_data_breach_notification_20091023.pdf
EDRi-gram: EDPS endorses data breach notification provision in ePrivacy
Directive (28.04.2008)
http://www.edri.org/edrigram/number6.8/edps-data-breach-notification
(Contribution from Andreas Krisch – EDRi)