New 24-hour data breach notification regulation places specific requirements on email safety
On 25 August 2013, a new EU regulation came into force which may have long-term effects on the email communications of all companies within the European Union. This regulation – initially concerning telecommunications and internet service providers – will require the notification of data thefts and breaches within 24 hours. Corresponding incidents, which also include the unauthorised access of sensitive customer data (in emails, for example), must therefore be reported to the competent regulatory authorities and institutions concerned within the required time period. In view of the rise in cases of data abuse, to which the EU is reacting with this regulation, email experts at GROUP Business Software AG (GBS) consider it likely that this is just the first step towards a tightening of notification requirements across various industries. "We expect that the regulation will soon be extended to other sectors", explains Andreas Richter, VP Marketing Europe at GBS.
Independently of this, companies should now begin to prepare themselves and effectively safeguard their email communications against data theft and loss. "What is the point of blocking USB ports or removing CD-ROM drives when sensitive customer data is leaking out via email and finding its way into the hands of unauthorised third parties?" indicates Andreas Richter. A good security offering should therefore also cover emails along with their file attachments, since they often contain particularly important information. GBS offers its customers substantial opportunities to prevent data leaks via email, ranging from the integration of Data Leakage Prevention (DLP) to the encryption of outgoing communications. This not only prevents the loss of important data but also guarantees confidentiality in B2B and B2C environments.
However, GBS's email experts are also critical of the new EU regulation. "Companies can obviously only report the data thefts of which they have become aware. Attempted attacks often remain unnoticed long after the required 24-hour notification period has elapsed. We therefore need more preventative measures to be developed", considers Andreas Richter.