Article Lead Image

U.S. edges closer to new data-security law as E.U. inks deal

You may soon be getting notices anytime a company you patron gets hacked.


Eric Geller


The European Union on Monday finalized a rule requiring companies to notify European governments and customers when they suffer a data breach or other cyber incident.

The Network and Information Security Directive, the E.U.’s first cybersecurity law, would require companies that store user data to alert the public if hackers breach their systems.

“The Internet knows no border—a problem in one country can have a knock-on effect in the rest of Europe,” Andrus Ansip, the European Commissioner overseeing the region’s unified digital market, said in a statement after a marathon five-hour negotiating session of the E.U. Parliament. “This is why we need EU-wide cyber-security solutions.”

“The Internet knows no border—a problem in one country can have a knock-on effect in the rest of Europe.”

The notification directive places the strictest reporting requirements on sectors deemed critical to national security and civil society, such as transportation and energy companies. Web firms like Google and Facebook face more flexible requirements, but European governments can still fine them if they fail to report a breach.

“Improving cooperation and information exchange between Member States is a key element of the agreed rules and will help us tackle the increasing number of cyber-attacks,” Günther Oettinger, the European Commissioner for Digital Economy and Society, said in the Commission’s statement.

Europe’s push to standardize data-breach notifications comes as the U.S. Congress considers notification bills of its own. The House Financial Services Committee was set to mark up one such bill, the Data Security Act, on Tuesday, and a Democratic lawmaker planned to introduce her own notification bill the same day.

The Data Security Act does not set timetables for notifications, while the other bill sets a 10-day deadline to notify law enforcement and a 3o-day deadline to notify customers. Both bills would also require companies storing sensitive user data to implement more rigorous security measures to identify and expel hackers.

U.S. businesses have faced an unprecedented wave of cyberattacks in recent years, with both state-sponsored groups and independent actors breaching systems at companies like Sony, Target, and JPMorgan. Hackers reportedly linked to China also infiltrated the Office of Personnel Management, the federal government’s human-resources office; the resulting theft of nearly 22 million federal workers’ confidential records sparked a legislative focus on cybersecurity that has lasted for most of 2015.

Illustration by Max Fleishman 

The Daily Dot