New EU Rules Require ISPs, Telcos To Come Clean Within 24 Hours of Data Breaches 70
hypnosec writes "Under new EU regulations ISPs and Telcos serving European customers will have to come clean within 24 hours in case of a security or data breach that leads to theft, loss, or compromise of data. Companies will have to disclose the nature and size of the breach within the first 24 hours. Whenever it's not possible to submit such data, they must provide 'initial information' within the stipulated time and full details within three days. Under the new terms the affected organizations will be required to reveal information such as information that has been compromised and the steps that have been taken or will be taken to resolve the situation. If the breach 'is likely to adversely affect' personal information or privacy, affected businesses and consumers will be notified of the breach."
NSA too? (Score:5, Interesting)
Does this mean the alleged NSA taps on major internet links that monitor all traffic would have to be reported as breaches too if an EU ISP discovers (or knowingly installs) one?
Re:NSA too? (Score:4, Funny)
Does this mean the alleged NSA taps on major internet links that monitor all traffic would have to be reported as breaches too if an EU ISP discovers (or knowingly installs) one?
Yes.
it's part of why nsa wanted soooo much to keep it secret. plenty of companies have to stop using american hosting if they technically know that the US servers are compromised.
Re:NSA too? (Score:4, Informative)
that's the point of making them come clean of compromise to the data or get burnt if they get outed by someone.
americans can't do anything about it - but if european operating companies are liable legally in europe about the breaches they will either have to disclose the data compromises to their customers(bad for business) or move the servers inside eu and not share all data(since you know, the european privacy laws are against that).
Re: (Score:2)
Re: (Score:3)
"Breach" implies access without permission.
The NSA has government-mandated permission so their access doesn't fall under this law.
Re: (Score:2)
This is EU law we are talking about. Please substantiate your claim that the EU government has given the NSA permission.
You are absolutely right.
Your parent misses the obvious.
Re: (Score:1)
Traffic monitoring is not the same as a data breach. A data breach is data being accessed without authorization - usually in a database-style scenario - internet traffic is viewable for every intermediate router and therefore confidentiality cannot be ensured in the first place, without appropriate security protocols. Similarly (nearly?) every ISP monitors their network for unusual behavior and traffic patterns (when is there a lot of activity? where should additional hardware be deployed?), which would the
Re: (Score:3)
Does this mean the alleged NSA taps on major internet links that monitor all traffic would have to be reported as breaches too if an EU ISP discovers (or knowingly installs) one?
If you RTFA you would find out:
There are a few exceptions though – companies will not be required to pass on the data in cases where there are "justified national security reasons", companies like Facebook and Google who fall under Data Protection Direction, companies that take steps such as encryption of data.
Re: (Score:3)
There are a few exceptions though – companies will not be required to pass on the data in cases where there are "justified national security reasons", companies like Facebook and Google who fall under Data Protection Directive, companies that take steps such as encryption of data.
This reminds me of the Data Retention Directive, passed in what... 2006?
First they require you to keep all data... then they require you to protect the data they made you keep.
Here is a thought: The best way to let me protect my data is to let me delete it.
Re: (Score:2)
What are you some kind of subversive?
Re: (Score:2)
Any other questions?
Re: (Score:1)
What national security reasons are there for retaining the average persons internet traffic?
Re:NSA too? (Score:4, Insightful)
I got it this one's easy.
Today's 'average person' may be tomorrow's protestor. Heck that person might actually start turning into someone that other proletariat start listening too. And if their message is in any way threatening to those that gain from the power of the national security apparatus then said apparatus can dig in to so-called 'average person's' past communications to dig up the dirt on them, discredit them, jail them if necessary, and to thereby to retain their power without threat.
See how easy that is?
You're welcome.
No. (Score:2)
For good measure, again No.
From the last paragraph of TFA [paritynews.com] :-
This provision is likely useless against the NSA.
Hopefully coming soon to the US (Score:1)
It's just too easy for US companies to "pretend nothing happened".
Re:Hopefully coming soon to the US (Score:5, Interesting)
I wonder how this law is to be enforced. If nothing is ever told that the breach happened (and logs "expired" pertaining to the breach), then only the party that did the intrusion would really have proof it ever happened.
General system logs don't have all the eDiscovery rules that E-mail do, and I sort of dread to have to keep every syslog/event log from every single machine for x amount of time, because an intruder can easily just trash the log archive server unless the logs were written something like WORM tape, or EMC's SAN that does WORM volumes.
In any case, this law is a start, and I wish similar laws would reach across the pond too. However, my fear is that even successful breaches will be classified as "attempts" and never reported... and if they are, it will be one person who gets the blame for failing to report it, they get sacked, and life goes on.
Re: (Score:2)
I was wondering the same thing.
Are the majority of breaches only discovered when some external party says. 'Lulz I gotz ur data'?
Re: (Score:1)
It just means any whistleblower or hackers themselves can report the findings into public. Companies are pretty much forced to hand in any reports of breaches; they can't keep quiet about it because otherwise the penalties will be even more severe after the day's over.
This is a good move. It'll finally keep people/companies on their toes instead of try to hide their flaws.
Re: (Score:3)
I wonder how this law is to be enforced. If nothing is ever told that the breach happened (and logs "expired" pertaining to the breach), then only the party that did the intrusion would really have proof it ever happened.
That a company does it's best to hide that their systems where breached doesn't mean that it will never come out.
If lists of passwords appear online, or if somebody abuses customer data that was only ever disclosed to that company, they will be in deep sh*t if it comes out that they knew about the breach and did not follow the law.
Re: (Score:2)
Most countries have laws requiring any company that handles personal data to take reasonable steps to protect it. That means intrusion prevention and detection. If they don't they are breaching the law anyway, so saying "we didn't know" isn't a valid excuse.
There are ways ... (Score:3)
Of course, "proof" for a court of law could require a bit more, but I think that needs to be established as jurisp
Re: (Score:2)
Re: (Score:1)
So you have couple of easily detectable cases:
* Missing logs or other log anomalies and no reported breach - bad and easy to check
* Logs with breach activity and no reported breach - bad and possible to check
So the worst case is actually if someone manages to reconstruct the logs, however I would say that would not be so easy these days with redundant and complex systems that lo
US congress - Are you listening (Score:2)
Europe is more about freedom than the US.
All the right wing congressmen prancing about, but they claim to disavow surveillance.
I'm just a trouble maker finding holes in the wall...
rats seem to like peanutbutter more than cheese, but there's lots of that...
Re: (Score:1)
Europe has its own freedom problems. Both sides do different things well. While it's great to ignore all the negatives to make statements like this, remember that one side isn't necessarily better than the other.
Re: (Score:3)
Re: (Score:2)
yeah otherwise I'd have to ask "is it illegal to deny the moon landings in any state or county in the USA?" instead of just "... in the USA?"
Re: (Score:2)
Given that there are several differences in state laws both in the U.S. and EU, you should better ask that.
Re: (Score:2)
I don't know about every European country but In France and Austria you'd get in trouble as well.
Re: (Score:1)
Sentences that begin with "In Europe" are hardly ever true or factual. Holocaust-denial is not a crime in every one of the 50 countries of Europe. Please, stop generalizing.
Re: (Score:1)
In US, you can be thrown in to some pit and be tortured by some sadistic guards, just because the government thinks so. And that's when you are lucky. If not, you can be killed alongside your whole family and half your neighbors. The US is more like North Korea than like a civilized country.
Re: (Score:2)
Not just whether it happened but the official figure on the number of dead. Question that "oh maybe it was 100,000 less than the official version" and its jail time.
The problem is that it encourages the neo-nazis because some people get the feeling that the government is trying to cover something up.
Re: (Score:1)
Not just whether it happened but the official figure on the number of dead. Question that "oh maybe it was 100,000 less than the official version" and its jail time.
The problem is that it encourages the neo-nazis because some people get the feeling that the government is trying to cover something up.
Can you please cite *any* specific examples where you get jail time for claiming that number of dead are off by 100,000?
Does a request count as a "breach"? (Score:1)
Why just Telcos? (Score:1)
This should be for all internet service providers of some scale.. I mean telcos have a lot of communications metadata, but breaching that is not actually something I need to know QUICKLY. What I need to know stores and places with my credit cards and shared accounts are stored. "Do I need to reset passwords" is basically the main question.
What can reasonably be accomplished in three days? (Score:4, Interesting)
Do they really expect every massive, multi-part intrusion to be investigated to completion so that a full report can be made after only 72 hours? What am I missing?
Re: (Score:1)
There's no full report required, just the immediate discovery and notification thereof. "Breach detected, your password may be stolen, please change it now". It's about giving people the ability to take measures ASAP.
Re: (Score:2)
That's not how I read it, but that would make more sense, I suppose. I'm thinking of situations where you have a multi-pronged attack, and one prong accesses one set of sensitive data, and the other prong accesses another. One access may be discovered, the clock starts, and 72 hours later they may not even be far enough into their forensics to find out about the other prong of the attack. But if you're defining each as its own "breach", even though it's part of the same larger complex attack, I suppose i
Re: (Score:2)
Your post suggests you've never done this before. Consider:
1. Spear phishing attack nets the credentials of employee A.
2. A's credentials are used to access sensitive data B. A normally has access to B so this doesn't set off any alarms.
3. A's credentials are used to plant malicious code on an internal web site.
4. Malicious code nets credentials of employee C and D and E (and a dozen others).
5. A separate attacker probes C's access, digs through source code repository.
6. Source code review yields an explo
If they didn't have data... (Score:1)
Suppose ISPs (and that includes telcos) were required to only provide connections, an no other products: they simply provided a wire and a router for a monthly bill. They could have no data at all about you aside from how to bill you. Now suppose they perform competitive bidding to provide service to a separably maintained database of customers (or multiple such databases if you dislike centralization) which handled billing. Then the ISPs don't even have your billing information, and in the case of wireless
Re: (Score:2)
Now suppose they perform competitive bidding to provide service to a separably maintained database of customers (or multiple such databases if you dislike centralization) which handled billing.
So... instead of having to hack the database of all service providers an attacker would only have to hack one (or a small number of) database(s) to get the data of all consumers?
No that's progress.
Re: (Score:2)
Its progress thats there would be no information about your browsing activity stored anywhere related to the ISP.
It's progress from the view of the state, which would very much like that information centralized. But it's the opposite from the point of view of The People, who would prefer that governments have to jump through as many hoops as possible before viewing data that doesn't belong to them.
Yes, storing the state in a third party location does not make it invincible, but it makes it easy to limit what is stored,
No easier than storing it anywhere (everywhere) else
and easy to regulate and audit for security purposes.
Yes, where "security" is euphemistic.
GCHQ spying was a data breach (Score:4, Insightful)
EU Privacy directive is still law, EU Right to Privacy is still written directly into UK law. RIPA does not trump the fundamental rights and it didn't give them permission :
http://www.legislation.gov.uk/ukpga/2000/23/section/1
"(4)Where the United Kingdom is a party to an international agreement which—
(a)relates to the provision of mutual assistance in connection with, or in the form of, the interception of communications,
(b)requires the issue of a warrant, order or equivalent instrument in cases in which assistance is given, and
(c)is designated for the purposes of this subsection by an order made by the Secretary of State,
it shall be the duty of the Secretary of State to secure that no request for assistance in accordance with the agreement is made on behalf of a person in the United Kingdom to the competent authorities of a country or territory outside the United Kingdom except with lawful authority."
You didn't have a UK court order, so you didn't have lawful authority to intercept UK comms. It was done illegally. You cannot transcribe a mass surveillance directive FISA warrant into UK law and pretend it gives you UK lawful authority. FISA law does not apply to UK, a FISA warrant does not count as lawful authority. If it did, then American law would count as lawful authority over any UK law.
Without even getting into whether a US law that violates the 4th Amendment is lawful authority or not. It is not lawful in the UK. It is not lawful under RIPA.
So the companies who assisted in this, need to come forward and report what they did as a data breach. Because that is what it is. Parliament rules UK, not GCHQ, not NSA.
In particular Vodafone is buying Deuschland Kabel and Vodafone network in Greece was spied on in 2004, so the Germans need to ensure their network is secure from extra-legal surveillance before allowing that to go ahead. Answers are needed.
It may be "legal" under UK law (Score:2)
Full credit to this article at the London School of Economics and Politic Science [lse.ac.uk] .
It is clear that FISA allows the US to target ‘persons reasonably believed to be located outside the United States to acquire foreign intelligence information’. Arguably, when intelligence already in the hands of an agency such as the NSA is handed over to the GCHQ, there is little, if any, legal regulation or oversight in that situation as the RIPA applies only when the GCHQ gathers the data itself. If the data i
Abuse may have already begun (Score:2)
I forgot to add that while I'm sympathetic to your point of view, it appears that from a purely legal point of view, the authorities appear to have ensured that their actions are clothed with a fig-leaf of legality. Whether their actions have any moral justifications is an entirely different matter.
What is particularly repugnant is that these overly broad surveillance powers may have already been used to target civil liberty groups [guardian.co.uk] in the UK. I would think that it is a clear abuse of power to spy on parties
Why so specific? (Score:1)
Am I missing something here..? Why ISPs and telcos?
If its important enough to set up new legislation/regulation then shouldn't this apply to _any_ corporations?
Shouldn't Amazon, eBay and your banks be similarly accountable? I know if be a lot more angry if my bank exposed my personal and financial details than my ISP.
Gap between when breach occurs and '"detected" (Score:1)
Keep in mind there can be a significant gap between when something happens, it is noticed, and when it is "officially" reported by the company.