EU 24-Hour Data Breach Notification Rule 'Unworkable': ATandT Executive

AT&T's chief privacy officer says the 24-hour deadline to notify customers of a data breach that is set by new European Union data privacy regulations is "absolutely unworkable" and would end up forcing companies to notify all possible customers about a breach rather than just those affected.

New data privacy regulations being implemented by the European Union will present serious complications for U.S. companies doing business in Europe, according to an IT security and data privacy executive who took part in a panel at the George Washington University School of Law in Washington, D.C.

For example, the 24-hour window for data breach notifications that the European Commission is including in its proposed changes to the European Union data privacy laws is "absolutely unworkable," AT&T's Chief Privacy Officer Bob Quinn said. Quinn joined executives from Facebook, eBay and MasterCard Worldwide to discuss privacy issues Jan. 26 on the panel that was part of the National Cyber Security Alliance's Data Privacy Day event.

The European Commission on Jan. 25 introduced new rules to update the 17-year-old data privacy laws to better protect Internet users. The laws are intended to improve online defenses that protect children from online predators, simplify data protection laws across all the European Union countries and reduce bureaucracy.

Quinn noted that once a breach is discovered, the organization has to stop it, limit the impact, understand what happened, identify the root cause and figure out who was affected. All this in 24 hours is just not feasible and would wind up requiring organizations to notify everyone, and not just the ones who had been affected, Quinn said.

While overnotification can become an issue, it's far more important to have educated consumers, said Erin Egan, Facebook's chief privacy officer for policy. Receiving a breach notification notice will make users aware of a potential problem and give them time to act to protect themselves, she said.

U.S. enterprises also have to deal with a wide range complicated data breach notification rules enforced by the nation's 50 states. MasterCard's global privacy and data protection officer, JoAnn Stonier, said a federal breach notification law would be a lot easier than what businesses currently have to deal with, but cautioned that Congress would have to make it workable. The entire process is a "complicated stew," she said.

Facebook supports the idea of a federal breach notification law and would like to see Congress push that legislation through, according to Egan. However, she didn't think it would pass this year, but said she wasn't the best judge of determining the likelihood of a bill's passage.

Facebook, Egan said, defines privacy as having three parts-transparency, control and accountability-and works hard to deliver on all those areas. When she sat down with Facebook's Chief Security Officer Joe Sullivan shortly after being appointed chief privacy officer in November, she was "blown away" by all the things Facebook does behind the scenes to ensure user privacy and security, Egan said.

Facebook takes privacy of its users seriously and is focused on improving how it communicates with users, she said. There is a big misperception that Facebook isn't "as thoughtful about privacy as we are," Egan said.