New laws will shake up underreporting of data breaches in Europe

Photo by KaboompicsThe data breach that affected beleaguered telecoms provider TalkTalk last month has once again raised the importance of securing personal data.

Speaking of the breach, Jeremy King, international director of the PCI Security Standards Council, warned that there is a common misconception that high-profile data breaches in Europe are much less prevalent than in the USA.

“In Europe, we do suffer from breaches.” – Jeremy King

Two new important pieces of legislation – the EU General Data Protection Regulation and the Directive on Payment Services – will soon mandate very strict data breach notification processes in Europe.

“Recent high-profile breaches clearly have shown that breaches don’t just happen in the USA,” King said. “Regulators in Europe are getting tired of these breaches. … We are still fighting a major battle against the cybercriminals, and organisations need to take this seriously. Criminals are finding their way in. And once they’re in, they can get access to a lot of very valuable data.”

TalkTalk breach came to light due to regulation

European countries are governed by inconsistent data breach notification processes. In the UK, however, telecommunications organisations and government bodies are required to disclose data breaches by law, which King suggests is why the TalkTalk breach came to light.

King stressed that the PCI DSS offers the level of security that organisations need to tackle the problem of data breaches.

The PCI DSS offers a solution for PII protection

He explained that although the PCI DSS does not specifically mandate the protection of personally identifiable information (PII), the processes and procedures that apply to card security can be applied to protect any other types of data.

TalkTalk has admitted that it didn’t encrypt all of its customer data, including bank account details, passwords, home addresses and telephone numbers.

King said that many organisations are using third parties to remove their responsibility to protect card data, but aren’t spending enough to protect their customers’ data.

King called for organisations to start preparing for these new requirements now because “it will take time to really look at these [new] standards and work out how they’re going to impact your organisation.”

Criminals are getting very good at finding their way in and organisations need to ensure they are using the very best and very latest security measures to tighten their defences.

If your organisation is looking at getting started with the PCI DSS, you can contact IT Governance for an initial PCI DSS gap analysis.

PCI gap analysis