EU Information Security Agency Recommends Clear and Broad Interpretation of Data Breach Requirements

On August 27, 2012, the European Network and Information Security Agency (ENISA) issued a paper, “Cyber Incident Reporting in the EU,” which analyzes the current state of EU legislation covering data breaches. It observes that many breaches remain undetected and, even if detected, are not reported to authorities or known to the public. As a result, it finds a lack of transparency into the causes of the incidents of the impact on the users, which poses a challenge for policy makers.

Urging the importance of incident reporting and consistency, the report indicates that a few highly publicized breaches (such as the LinkedIn incident in June 2012 that affected 6.5 million passwords and the Research In Motion, Ltd. incident in October 2011 that caused email outages throughout the world) do not squarely fit into any of the EU regulations covering breaches and notification. The report highlights the importance of discussion among the national authorities and the EC to clarify the scope of legislation and address gaps. It does not urge overhaul of the text of existing laws, but rather stresses a broad interpretation that would account for the evolving landscape of electronic telecommunications. It finds the fact that the European Commission is developing a Cyber Security Strategy as a positive step towards increasing transparency, understanding and prevention.

Data Privacy Law Enacted in the Philippines

President Aquino recently signed into law Republic Act No. 10173: “An Act Protecting Individual Personal Information in Information and Communication Systems in the Government and the Private Sector,” or the Data Privacy Act 2012. It is being said that the law is designed to comply with international data security standards and provide comfort in the security of data belonging to companies outside the Philippines but increasingly handled by companies in the information technology – business processing outsourcing (IT-BPO) sector in the Philippines. The law is based upon the European Data Directive and creates a National Privacy Commission for its enforcement.

Jamaica Envisions Data Protection Act by 2012/2013

Jamaica has announced that it will promulgate its Data Protection Act during this financial year.  The need for the implementation of a data protection law had been discussed within Jamaica for some time, and on July 31, 2012, Hon. Julian Robertson, the Minister of State in the Ministry of Science, Technology, Energy and Mining, made the announcement to the House of Representatives at the 2012/13 Sectoral Debate. As reported by the Jamaica Information Service, here, Mr. Robinson cited the “need for more uniform, robust and clear mandate to protect privacy and personal information” and noted that the law will cover the collection, processing, retaining, use and disclosure of personal information. He also announced that by the 2013/2014 financial year the government will establish an Information and Communication Technology (ICT) Regulator. The regulator will take on some of the functions of authorities and commissions already in place.