EU's security breach reporting plans under fire
By Stewart Mitchell
Posted on 8 Feb 2013 at 15:15
The European Union's plan to strengthen online security by requiring companies to report data breaches has already been criticised as too broad and lacking transparency.
The EU's online security strategy plan will set up response centres in every EU country and to force companies to report data breaches to the local response team.
Mandatory incident reporting is something that privacy groups have been demanding for years, and the EU said "enablers of information society" would be forced to fess up to breaches as part of the plan.
"Operators of critical infrastructures in some sectors (financial services, transport, energy, health), enablers of information society services (notably: app stores, e-commerce platforms, internet payment, cloud computing, search engines, social networks) and public administrations must adopt risk management practices and report major security incidents on their core services," the EU document reads.
To be manageable, useful and proportionate, the requirements should be narrowly targeted at sectors which operate truly critical infrastructures
The vague definitions of who would be counted as a web enabler has led to criticism that it is too broad to be effective - although the claim comes from a US trade group that could see the rules as an additional burden.
"To be manageable, useful and proportionate, the requirements should be narrowly targeted at sectors which operate truly critical infrastructures," said TechAmerica in a statement.
"The sweeping and indiscriminate inclusion of 'enablers of internet-services' in the scope of the directive would fail to strike the balance between the risk-based prioritisation of assets and functions to be protected and the strong interdependencies in cyberspace across sectors and borders."
Ross Anderson, a security professor at the University of Cambridge, said the centralised reporting system could actually damage openness and make life more complicated for technology companies.
Whereas the US system for breach notification insists users affected by a breach are informed, the EU's plans means only national authorities are informed, which could lead to a lack of transparency.
"Centralisation will not just damage the separation of powers essential in any democracy, but will also harm operational effectiveness,” Anderson wrote in a blog post.
"Most of our critical infrastructure is in the hands of foreign companies, from O2 through EDF to Google; moving cybersecurity cooperation from the current loose association of private-public partnerships to a centralised, classified system will make it harder for most of them to play."
If the Americans Don't Like it, Then it Must Be Right
I guess that the colonial Americans simply do not like the thought that this idea was not bought via a US congressperson for hire. I am fed up with the USA thinking that they and only they can make laws that affect people outside of the US. They have had their fun in the sun prosecuting offences that, though not committed in the US and not crimes where they were 'committed' somehow fell foul of the law that someone over there bought. So tough Mr Yank, we are feed up with you being the biggest, stupidest bully about the place.
By Jonesr18 on 9 Feb 2013
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Google Now draining iPhone battery
- The government website that doesn't work with IE, Chrome, Firefox, Safari, Macs or smartphones
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?
- Ransomware that's better made than antivirus software