Telecom operators or Internet service providers (ISPs) operating in Europe who suffer from data breach that leads to loss of personal data or theft of such data or data is compromised in any way will have to notify national data protection authorities within 24 hours. Companies will have to disclose the nature and size of the breach within the first 24 hours and wherever it’s not possible to submit such data, they must “initial information” within the stipulated time with full details within three days.
Under the new terms the affected organizations will be required to reveal information such as information that has been compromised and the steps that have been taken or will be taken to resolve the situation. If the breach “is likely to adversely affect” personal information or privacy, affected businesses and consumers will be notified of the breach.
ISPs and Telcos operating in the EU are required to information authorities about security breaches leading to compromise of personal data since 2011 but, with the latest guidelines provides information on how to fulfill this requirement while also specifying timeframes within which such incidents have to be reported. The new regulations also require companies to pay specific attention to the type of data compromised whenever the breach may have resulted into theft, loss or compromise of financial information, location data, email data and the likes.
There are a few exceptions though – companies will not be required to pass on the data in cases where there are “justified national security reasons”, companies like Facebook and Google who fall under Data Protection Direction, companies that take steps such as encryption of data.