U.S. based tech companies that store data on the Internet may soon be required to report the loss or theft of personal information to the E.U. or face sanctions and fines according to legislation being proposed by the European Commission. As reported in the New York Times last Wednesday, the proposal, which is being drafted by the Vice-President of the European Commission responsible for the Digital Agenda seeks “to impose, for the first time, E.U.-wide reporting requirements on companies that run large databases, those used for Internet searches, social networks, e-commerce or cloud services.” The proposal is expected to be reviewed by the European Commission on January 30.
The plan is controversial because, among other things, it would extend the obligation to report data breaches beyond traditional compilers of customer databases for critical infrastructure like telephone, transport and utility companies to the “enablers of Internet services, e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services, applications stores” and, for the first time, require U.S. companies to report breaches to a national authority, a reporting obligation that is non-existent on a national level in the United States. In the U.S., notification of data breaches are enforced by the state, not federal government, with most states requiring companies only to report security breaches involving more than 500 customers.
Although the full scope of the reporting mandate is unclear, if enacted, the legislation would require companies storing data online to spend more time monitoring and reporting security breaches, and extend those reporting obligations overseas.