US Security Chief Calls EU 24-Hour Data Breach Notification Rule ‘Unworkable’

gdpr

AT&T’s chief privacy officer says the 24-hour deadline would force companies to notify all customers rather than just those affected

New data privacy regulations being considered by the European Union will present serious complications for US companies doing business in Europe, according to Bob Quinn, an AT&T security and data privacy executive who took part in a panel at the George Washington University School of Law in Washington, DC.

For example, the 24-hour window for data breach notifications that the European Commission is including in its proposed changes to the European Union data privacy laws is “absolutely unworkable”, AT&T’s chief privacy officer Bob Quinn said. Quinn joined executives from Facebook, eBay and MasterCard Worldwide during the National Cyber Security Alliance (NCSA) Data Privacy Day event.

Too little time

The European Commission has revealed plans for new rules to update the 17-year-old data privacy laws to better protect Internet users. The laws are intended to improve online defences that protect children from online predators, simplify data protection laws across all the European Union countries and reduce bureaucracy.

Quinn noted that once a breach is discovered, the organisation has to stop it, limit the impact, understand what happened, identify the root cause and figure out who was affected. All this in 24 hours is just not feasible and would wind up requiring organisations to notify everyone, and not just the ones who had been affected, Quinn said.

While over-notification can become an issue, it is far more important to have educated consumers, said Erin Egan, Facebook’s chief privacy officer for policy. Receiving a breach notification notice will make users aware of a potential problem and give them time to act to protect themselves, she said.

US enterprises also have to deal with a wide range complicated data breach notification rules enforced by the nation’s 50 states. MasterCard’s global privacy and data protection officer, JoAnn Stonier, said a federal breach notification law would be a lot easier than what businesses currently have to deal with, but cautioned that Congress would have to make it workable. The entire process is a “complicated stew”, she said.

Facebook supports the idea of a federal breach notification law and would like to see Congress push that legislation through, according to Egan. However, she did not think it would pass this year, but said she was not the best judge of determining the likelihood of a bill’s passage.

Three phase Facebook

Egan said Facebook defines privacy as having three parts – transparency, control and accountability – and works hard to deliver on all those areas. When she sat down with Facebook’s Chief Security Officer Joe Sullivan shortly after being appointed chief privacy officer in November, she was “blown away” by all the things Facebook does behind the scenes to ensure user privacy and security, Egan said.

Facebook takes privacy of its users seriously and is focused on improving how it communicates with users, she said. There is a big misperception that Facebook is not “as thoughtful about privacy as we are”, Egan said.

Facebook engineers are regularly innovating around privacy and security to protect their users, according to Egan. An example is the social authentication feature rolled out last year. Whenever there is a hint that the user may not be who he or she claims to be, it is important to ask for more information. Social authentication requires users to identify photos of their Facebook “friends” that are mixed in with other photos in order to verify their identity.

The person trying to break into a Facebook account may know the password, but “they probably don’t know your friends”, Egan said.

Before any product is launched at Facebook, a cross-functional team sits down and reviews its privacy and security implications, Egan said. Decisions made to safeguard user privacy, such as how long to keep the data, are implemented by security and back-end teams, she said.

Shared responsibility

Privacy is a “shared responsibility” between users and the company, according to Egan. The company needs to be upfront about what it will do with the data it collects, but users also need to think about what they want to do with the data.

The new profile page Timeline that Facebook is planning to roll out to all users is a good example of how the company uses data. The information is laid out and presented so that users have a record of events and can create a scrapbook easily. But if people do not want the information out there, they can easily decide to get rid of that piece of data. The control remains in the user’s hands, she said.

Facebook has worked hard to simplify the privacy policies on its site and explain to users how the data being collected is being used. The site provides a download tool that allows users to see exactly what Facebook has about them, Egan said. Inline controls also allow people to adjust who can see their information on an item-by-item basis.

Finally, the company knows it is accountable to the users because if it is not viewed as being trustworthy, users will not use the service, Egan said. Accountability also extends to the government, and Egan said Facebook is embracing its responsibilities as outlined under the recent settlement with the Federal Trade Commission on how it should handle user data and obtain consent.