[e-privacy] EDRI-Gram: European Data Protection Supervisor - Seminar: Responding to data breaches

Andrea Glorioso andrea at digitalpolicy.it
Thu Nov 19 15:28:22 CET 2009 

============================================================
6. EDPS Seminar: Responding to data breaches
============================================================

On 23 October 2009 the European Data Protection Supervisor (EDPS) and the
European Network and Information Security Agency (ENISA) organised a seminar
on security breaches. The three sessions focussed on the prevention, the
management and the reporting of data breaches.

Background of this seminar was the upcoming reform of the ePrivacy directive
(2002/58), which requires telecommunication providers to inform on security
breaches related to personal data. EDRi was invited to present its positions
on this topic.

>From a data subjects point of view data breach notifications are not only an
important instrument to mitigate the risk of identity theft or other
criminal uses of leaked data. Since an active identity management is
becoming more and more important in the information society (everybody does
some kind of "identity management" by e.g. keeping private and professional
information separated) it also is increasingly important to know who has
access to which personal information and which information became public -
either on purpose or by accidental security breaches.

Data breaches therefore cause not only financial risks but also a risk to
ones identity management and - as the German Constitutional Court defined it
about 25 years ago - ones right to informational self determination.

Therefore several safeguards are necessary to mitigate the risks for data
breaches to occur. Data controllers should conduct risk assessments to
identify potential threats to the data they process and the potential
negative effects such a breach would cause not only for the controllers but
also for the data subjects. Based on this assessment they should improve
data security by technical and organisational measures and especially by
focusing on data minimisation and the use of privacy enhancing technologies.

Based on the risk assessment guidelines should be developed on how to
respond to data breaches as a data controller but also as a data subject.
This helps to ensure, that data controllers and affected individuals can
effectively respond to a given data breach event and have all the
information at hand, that is needed to minimise negative effects.

Mandatory data breach notifications for telecommunication providers are an
important first step to address an important problem. Similar obligations
need to be implemented soon for all other sectors - public and private - and
businesses.

Stakeholders discuss how to respond to data breaches at EDPS-ENISA seminar
(26.10.2009)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/PressNews/Press/2009/EDPS-2009-12_Data_breach_seminar_EN.pdf

Data breach notification: Requirements from a Civil society perspective
(23.10.2009)
http://www.edri.org/docs/Krisch_data_breach_notification_20091023.pdf

EDRi-gram: EDPS endorses data breach notification provision in ePrivacy
Directive (28.04.2008)
http://www.edri.org/edrigram/number6.8/edps-data-breach-notification

--
      Andrea Glorioso || http://people.digitalpolicy.it/sama/cv/
          M: +32-488-409-055         F: +39-051-930-31-133
  * Le opinioni espresse in questa mail sono del tutto personali *
      * The opinions expressed here are absolutely personal *

	"Constitutions represent the deliberate judgment of the
     people as to the provisions and restraints which [...] will
	secure to each citizen the greatest liberty and utmost
	       protection. They are rules proscribed by 
	         Philip sober to control Philip drunk."
			   David J. Brewer (1893)
       An Independent Judiciary as the Salvation of the Nation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.winstonsmith.org/pipermail/e-privacy/attachments/20091119/e3dbd00f/attachment.pgp>

More information about the E-privacy mailing list