Europe’s Definition of Data Security Breach

To conclude whether a “breach” of data security has occurred can be very difficult.  Many factors can play into an assessment whether security has been breached.

In a complex IT setting, many inclusive pieces of evidence might suggest that a breach has or has not happened.

To gather and evaluate all the relevant evidence can take much time and effort.

What’s more, the overall assessment can involve many subjective judgment calls.

In an enterprise of any size, hints or incidents suggesting that a breach has occurred can arise frequently.  But many of these hints or incidents are not themselves reliable proof of a breach.

Breach Defined

Legal authorities around the world have articulated numerous and diverse standards for what constitutes a breach.

The latest standard applies to ISPs in Europe.  The European Commission appears to desire that ISPs provide a lot of day-to-day information to national data protection authorities: “The provider shall notify the personal data breach to the competent national authority no later than 24 hours after the detection of the personal data breach, where feasible.”

“Detect” seems like a very low threshold!  An ISP can “detect” floods of evidence, but not have time to evaluate it in a mere 24 hours.

The Commission places some constraint on its detection standard.
Rushed Disclosure?
"Detection" means "provider has acquired sufficient awareness that a security incident has occurred that led to personal data being compromised, in order to make a meaningful notification."

Longer Investigations

In the course of an ongoing investigation – which is common in the security departments of large enterprises – the Commission expects another update within 72 hours of the initial detection.

Persistent threats and advanced threats can be numerous and can take a long time to investigate.  These threats have been increasing over the years.

Stream of Briefings

Therefore, this regulation suggests ISPs could be sending a steady and growing stream of detailed briefings to national authorities.

Some authorities may not be able to process so much information and may interpret the term “meaningful notification” at a higher threshold.

==
See Related Article:  In 2013 the US Department of Health and Human Service promulgated a new standard for when data breach notices must be given in the healthcare industry.