In the wake of the latest notice from a major internet company revealing that user data has been compromised — Facebook’s admission of a security bug compromising data from 6 million users — the European Commission has publishing new, Europe-wide rules that will require ISPs, carriers, broadband providers and others to report to both national regulators and to subscribers more specific detail about what has been compromised within 24 hours of the breach.
But it’s also throwing them a couple of bones. First, to get companies to invest a bit more in security, if they implement approved encryption techniques, then providers do not have to notify the subscriber if they have implemented the appropriate protection measures (although they still have to notify the national authority). Second, the EC is not requiring ISPs and others to report all breach details to subscribers; it merely gives them more specific criteria to help assess when they should.
There is another question mark here: how these rules affect companies who are not ISPs but are still retaining vital customer information. We are reaching out to the EC to ask how, for example, sites like Facebook, Twitter or Evernote — all of whom have released statements on breaches and leaked information in the last several months — would be impacted by the rules.
Read more: Europeans Will Now Know When And What Data Gets Compromised In A Breach — Unless It Was Encrypted | TechCrunch