EU security breach reporting plans under fire

The European Union's plan to strengthen online security by requiring companies to report data breaches has already been criticised as too broad and lacking transparency.

The security strategy plan will set up response centres in every EU country and to force companies to report data breaches to the local response team.

Mandatory incident reporting is something that privacy groups have been demanding for years, and the EU said "enablers of information society" would be forced to fess up to breaches as part of the plan.

"Operators of critical infrastructures in some sectors (financial services, transport, energy, health), enablers of information society services (notably: app stores, e-commerce platforms, internet payment, cloud computing, search engines, social networks) and public administrations must adopt risk management practices and report major security incidents on their core services," the EU document reads.

The vague definitions of who would be counted as a web enabler has led to criticism that it is too broad to be effective - although the claim comes from a US trade group that could see the rules as an additional burden. 

"To be manageable, useful and proportionate, the requirements should be narrowly targeted at sectors which operate truly critical infrastructures," TechAmerica said in a statement.

"The sweeping and indiscriminate inclusion of 'enablers of internet-services' in the scope of the directive would fail to strike the balance between the risk-based prioritisation of assets and functions to be protected and the strong interdependencies in cyberspace across sectors and borders."

Centralised risks

Ross Anderson, a security professor at the University of Cambridge, said the centralised reporting system could actually damage openness and make life more complicated for technology companies.

Whereas the US system for breach notification insists users affected by a breach are informed, the EU's plans means only national authorities are informed, which could lead to a lack of transparency.

"Centralisation will not just damage the separation of powers essential in any democracy, but will also harm operational effectiveness,” Anderson wrote in a blog post.

"Most of our critical infrastructure is in the hands of foreign companies, from O2 through EDF to Google; moving cybersecurity cooperation from the current loose association of private-public partnerships to a centralised, classified system will make it harder for most of them to play." 

This article first appeared on PCPro.