EU telcos, ISPs, have 24 hours to notify of data breach

Telecommunications and internet service providers in the EU have as of this week 24 hours from the moment of discovery to report a data breach to authorities.

The new legislation, announced in June, requires telco providers to notify EU authorities within a day of detection if any loss of data, unauthorised access or theft had arisen from a breach.

The legislation came into effect this week.

Similar rules governing mandatory data breach notification have been put forward in Australia, but proposed legislation failed to be heard on the last day of Senate sitting in June.

Organisations criticised for taking weeks or even months to notify victims have often defended delays in revealing a breach, claiming they needed the time to investigate breaches.

EU Commission vice president Neelie Kroes said the new strict laws were required for affected customers to take action.

“Consumers need to know when their personal data has been compromised, so that they can take remedial action if needed, and businesses need simplicity," Kroes said.

"These new practical measures provide that level playing field.”

Telcos and ISPs in the European Union will need to provide an initial notification within 24 hours and a more thorough follow-up within 72 hours.

The notification must include the provider, summary of the incident, number of affected individuals, content of data impacted and measures taken to mitigate adverse effects.

EU law mandated that affected individuals were alerted “without undue delay” if breaches involved personal data.

Personal data breaches were defined as “breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the [European] Union".