Telecommunications and internet service providers in the EU have as of this week 24 hours from the moment of discovery to report a data breach to authorities.
There were no stringent rules like that in place in the United States, where alerting requirements were promulgated through multiple state laws and often did not require reporting deadlines.
Organisations criticised for taking weeks or even months to notify victims have often defended the delay claiming they they needed the time to investigate breaches.
Perkins Coie's partner Todd Hinnen said a 24-hour deadline could create undue alarm and shoddy reporting.
He said a 72-hour deadline to notify authorities would be more appropriate, adding that the US would likely deploy a national scheme.
EU Commission vice president Neelie Kroes said the strict laws were required for affected customers to take action.
“Consumers need to know when their personal data has been compromised, so that they can take remedial action if needed, and businesses need simplicity," Kroes said.
"These new practical measures provide that level playing field.”
Providers would need to provide an initial notification within 24 hours and a more thorough follow-up within 72 hours.
The notification must include the provider, summary of the incident, number of affected individuals, content of data impacted and measures taken to mitigate adverse effects.
EU law mandated that affected individuals were alerted “without undue delay” if breaches involved personal data.
Personal data breaches were defined as “breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the [European] Union".
