[BreachExchange] EBA’s Proposed Guidelines Call for 2-Hour Notice of Data Breach

Thu Dec 15 20:42:42 EST 2016

http://paybefore.com/pay-gov/ebas-proposed-guidelines-call-
for-2-hour-notice-of-data-breach/

The European Banking Authority (EBA) working with the European Central Bank
(ECB) recently released a consultation paper on guidelines for payment
service providers (PSPs) to follow in the event of security breaches. Among
the suggested mandates is notifying authorities of an incident within two
hours from the moment the breach is detected—that’s significantly faster
than the breach notification requirements set to go into force next year
under the General Data Protection Regulation (GDPR), which requires notice
within 72 hours of breach detection. The GDPR also applies to U.S.
companies that process information and intend to offer products or services
to people in the EU, or monitor people in the EU, according to legal
experts at Bryan Cave.

The proposed two-hour notification, which would be the first in a series of
required reports, is part of a standardized template, the regulators say
will help manage information throughout the investigation of a security
breach. Initial reports are not expected to provide detailed information,
but serve as an overview of what occurred and the impact it might have had.

The two-hour window “appears dramatic,” but only a “high-level
notification” is required immediately, Robert Bond, a data protection
expert and partner at Charles Russell Speechlys, told PaymentsCompliance.

Intermediate breach reports are required to keep authorities informed and
should be submitted within three business days, according to the proposal.
Final reports should provide full information of the incident, including a
detailed description of what happened, the impact it had and how it was
solved. PSPs have two weeks after business is deemed back to normal to
provide final reports.

“These draft guidelines set out the criteria, thresholds and methodology to
be used by payment service providers in order to determine whether an
operational or security incident should be considered major and, therefore,
be notified to the competent authority in the home member state,” according
to the consultation paper.

A public hearing on the consultation will take place at the EBA premises on
Feb. 9, 2017. Comments regarding the consultation are due by March 7, 2017,
and can be sent to the EBA by clicking on the “send your comments” button
on the Website.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161215/92e50356/attachment.html>