Brian Pennington

A blog about Cyber Security & Compliance


European Data Protection Supervisor

An overview of EU security legislation and the impact of cyber incident reporting

The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens.

ENISA has responded to the growing threat posed by cyber security incidents by producing an overview paper of current legislation and the impact of incident reporting.

I have summarised the ENISA paper below.

ENISA started the paper by quoting five recent incidents to support their findings and conclusions:-

  1. In June 2012 6.5 million (SHA-1) hashed passwords of a large business-focussed social network appeared on public hacker forums. The impact of the breach is not fully known, but millions of users were urged to change their passwords and their personal data could be at risk.
  2. In December 2011, the storm Dagmar affected power supplies to electronic communication networks in Norway, Sweden and Finland. As a result millions of users were without telephony or internet for up to two weeks.
  3. In October 2011 there was a failure in the UK datacentre of a large smartphone vendor. As a result millions of users across the EU and globally could not send or receive emails, which severely affected the financial sector.
  4. Over the summer 2011, a Dutch certificate authority experienced a security breach, allowing attackers to generate fake PKI certificates. The fake certificates, the result of the breach, were used to wiretap the online communications of around half a million Iranian citizens. Following the breach many Dutch e-government websites were offline or declared unsafe to visit.
  5. In April 2010 a Chinese telecom provider hijacked 15% of the world’s internet traffic through Chinese servers for 20 minutes, routing traffic to some large e-commerce sites, such as and as well as the .mil and .gov domains, et cetera. As a result, the internet communications of millions of users were exposed (to eavesdropping).

The five quoted incidents are just the tip of the iceberg, as you will find out later in the post, but to give an insight into UK breaches read my post on who the UK’s Information Commissioner has caught this year for breaching the current Data Protection Act here.

Article 13a of the Framework directive: “Security and Integrity”

The Telecoms reform passed into law in 2009, adds Article 13a to the Framework directive, regarding security and integrity of public electronic communication networks and services. Article 13a states:

  • Providers of public communication networks and services should take measures to guarantee security and integrity (i.e. availability) of their networks.
  • Providers must report to competent national authorities about significant security breaches.
  • National authorities should inform ENISA and authorities abroad when necessary, for example in case of incidents with impact across borders.
  • National authorities should report to ENISA and the European Commission (EC) about the incident reports annually.

Article 13a also says that the EC may issue more detailed implementation requirements if needed, taking into account ENISA’s opinion.

The EC, ENISA, and the national regulators have been collaborating for the past 2 years to implement Article 13a and to agree on a single set of security measures for the European electronic communications sector and a modality for reporting about security breaches in the electronic communications sector to authorities abroad, to ENISA and the EC.

In May 2012 ENISA received the first set of annual reports from Member States, concerning incident that occurred in 2011. ENISA received 51 incident reports about large incidents, which exceeded an agreed impact threshold. The reports describe services affected, number of users affected, duration, root causes, actions taken and lessons learnt. While nationally incident reporting is implemented differently, with different procedures, thresholds, et cetera, nearly all national regulators use a common procedure, a common template and common thresholds for reporting to the EC and ENISA.

Article 4 of the e-Privacy directive: “Security of processing”

The Telecoms reform also changed the e-Privacy Directive, which addresses data protection and privacy related to the provision of public electronic communication networks or services. Article 4 of the e-Privacy directive requires providers to notify personal data breaches to the competent authority and subscribers concerned, without undue delay.

The obligations for providers are:

  • to take appropriate technical and organisational measures to ensure security of services,
  • to notify personal data breaches to the competent national authority,
  • to notify data breaches to the subscribers or individuals concerned, when the personal data breach is likely to adversely affect their privacy
  • to keep an inventory of personal data breaches, including the facts surrounding the breaches, the impact and the remedial actions taken.

Article 4 also says that the EC may issue technical implementing measures regarding the notification formats and procedures, in consultation with the Article 29 Working Party, the European Data Protection Supervisor (EDPS) and ENISA.

Articles 30, 31 and 32 of the Data Protection regulation

The EC has proposed to reform the current European data protection framework (Directive 95/46/EC), and has proposed an EU regulation on data protection. The regulation regards organisations that are processing personal data, regardless of the business sector the organisation is in. Security measures and personal data breach notifications are addressed in Articles 30, 31 and 32:

  • Organisations processing personal data must take appropriate technical and organisational security measures to ensure security appropriate to the risks presented by the processing.
  • For all business sectors the obligation to notify personal data breaches becomes mandatory.
  • Personal data breaches must be notified to a competent national authority without undue delay and, where feasible, within 24 hours, or else a justification should be provided.

Personal data breaches must be notified to individuals if it is likely there will be an impact on their privacy. If the breached data was unintelligible, notification is not required, e.g. Tokenised data.

Read my summary of the proposed New EU Data Protection Act here.

Article 15 of the e-Sig and e-ID regulation: “Security requirements”

The EC recently released a proposal for a regulation on electronic identification and trust services for electronic transactions in the internal market. Article 15 in this proposal introduces obligations concerning security measures and incident reporting:

  • Trust service providers must implement appropriate technical and organisational measures for the security of their activities.
  • Trust service providers must notify competent supervisory bodies and other relevant authorities of any security breaches and where appropriate, national supervisory bodies must inform supervisory bodies in other EU countries and ENISA about security breaches.
  • The supervisory body may, directly or via the service provider concerned, inform the public.
  • The supervisory body sends a summary of breaches to ENISA and the EC.

EU Cyber Security Strategy

The European Commission is developing a European Cyber Security Strategy. The roadmap for the strategy refers to Article 13a and mentions extending Article 13a to other business sectors. The Commission has indicated that there will be five main strands:

  • Capabilities and response networks, for sharing information with public and private sector
  • Governance structure including the national competent authorities, to address incidents and develop an EU contingency plan.
  • Incident reporting for critical sectors like energy, water, finance and transport.
  • Pre-commercial procurement of security technology and public-private partnerships to improve security across the single market
  • Global cooperation, to address global interdependencies and the global supply chain.

A European Cyber Security Strategy is an important step to increase transparency about incidents, and ultimately to prevent them or limit their impact.

ENISA’s Review

Security measures and incident reporting, implemented across the EU’s digital society, are important to improve overall security. EU legislation plays an important role here as it allows harmonization across the EU member states. This in turn prevents weak links and unnecessary costs for providers operating cross-border.

The European Commission, in collaboration with the EU Member States, has undertaken a number of legislative initiatives aiming to further improve transparency about incidents. Another important step is the proposed Cyber Security Strategy, which emphasizes incident reporting and the importance of exchange across the EU about incidents and how to address them. We conclude with some general remarks.

Regulatory gaps: In the introduction we gave five examples of cyber incidents with a severe impact on the security or privacy of electronic communications. The 2nd incident, caused by the Dagmar storm, is in scope of existing incident reporting legislation and as such reported to authorities. The proposed regulation on electronic trust providers would also cover the 4th incident. But the remaining incidents (the 1st, 3rd, and 5th) are not clearly in scope or subject of debate between providers and the national regulator.

It is important that national authorities and the EC discuss, agree, and clarify the scope of legislation on electronic communications and address these and other gaps. This can be done without necessarily changing the text of existing legislation, such as the telecom regulatory framework, but rather the interpretation of what the services are, because the landscape of electronic communications is continuously changing (from landline telephones and minitel in the past, to mobile phones, internet and VoIP).

Model security articles: There is a lot of similarity between Article 13a of the Framework directive and Article 15 of the e-Signatures and e-Identities regulation. The former has been taken as a model for drafting the latter. Both articles combine security measures and incident reporting, at a national level and at an EU level. Consistency and standardization in the legislative texts allows for more easy governance by the member states, and more easy implementation by the providers. Furthermore, the combination of national reporting and EU reporting (present in both Article 13a and Article 15) allows national authorities room to adjust to national circumstances, while at the same time providing overview and feedback at an EU level, which allows Member States to optimize implementation and to ensure a harmonized approach across EU member states.

Governing security measures: Mandatory breach reporting receives a lot of media attention and it is arguably the most visible part of the security articles. The ultimate goal is to limit the impact of security and personal data breaches or prevent them altogether by making sure appropriate security measures are taken. This type of governance is crucial and not easy. In security much depends on the technical details of the implementation and these details are hard to capture in (high-level) legislation and subject to change.

National authorities should exchange knowledge about an effective and efficient combination of high-level legal obligations and technical implementation requirements. For the latter it is important to adopt a bottom up approach (i.e. commonly agreed recommendations), taking into account the (changing) state of the art and the practical experiences of regulators and experts from the private sector.

As a second, but related point, the need to take “appropriate technical and organisational security measures” is mentioned in all the security articles. Although these articles are aimed at different providers and different types of breaches, there is still a large overlap between the security measures that have to be taken. The competent national authorities should collaborate (nationally and at an EU level) to ensure that these security measures are implemented consistently and where there is an overlap, similarly, to allow providers to comply more easily, and to allow equipment vendors to adapt their products accordingly.

Optimizing incident reporting procedures:

  • Incident response versus incident reporting: To prevent incidents from escalating Member states should encourage providers to quickly contact technical experts, incident response teams (like national CERTs), crisis coordination groups, and other organizations relevant in the response phase, should this be necessary. Member states should underline that incident response receives priority. The purpose of mandatory incident reporting to national authorities is supervision over whether or not providers comply with legal requirements, while the purpose of information exchange in the response phase, for example with a national CERT, is to tackle the incident. Member states should encourage transparency and trusted information sharing in the response phase and ensure that response processes are independent and not slowed down by legal reporting requirements. Member states should for instance ensure that incident reporting procedures are easy and quick to apply.
  • Exchange and sharing: Over the past years CERTs have developed effective platforms for collaboration and information exchange. Beyond the response phase, however, there is still little exchange of information about breaches between different national authorities. The EC should continue to support the working groups and platforms for exchanging information between national authorities, about breaches, about lessons learnt and best practices.
  • Granularity and tools: An important aspect of the evaluation of existing legislation on incident reporting should be an analysis of costs and benefits. Both for national and EU level reporting it is important to review over time the thresholds for reporting, the type of information that is reported, the level of detail, and so on. If too few incidents are reported, then it will be difficult to draw meaningful conclusions about common root causes or trends. This would defeat the purpose of the legislation altogether and make the legislation cost ineffective. National authorities should analyse what is a good balance, taking into account the costs and benefits for providers as well as the national authorities. Providers and national authorities should investigate automated tools and computer interfaces to allow for cost-effective incident reporting at a sufficient level of detail, while avoiding the burden of manual and ad-hoc reporting procedures. For example, one could distinguish between small and large incidents and use less reporting detail for the (many) smaller incidents.

ENISA Conslusion

ENISA would like to remark that in recent years a lot of progress has been made, in terms of addressing incidents and increasing transparency about incidents. The national authorities, for example, recently submitted to ENISA and the EC, the first Article 13a incident reports regarding severe incidents that occurred in 2011. The vast majority of national authorities use a single set of security measures and a common reporting template allowing for efficient collection and analysis. ENISA will publish an analysis of the 51 severe incidents in September 2012. From next year, every spring ENISA will collect annual incident reports and publish an analysis of the incidents of the previous year. For example, next spring 2013 ENISA will publish an analysis of the 2012 incidents.

ENISA looks forward to continuing our work with national authorities and the European Commission to support an efficient and effective implementation of Article 13a, Article 4, and the other security articles across the single digital market, and to support collaboration and information exchange between national authorities across the EU, to improve security across the EU’s digital society.

Find the ENISA press release here.


European Privacy Day 2012 – 28th January

The 28th January will be the European Privacy day for 2012.

Official logo of the European Data Protection ...

The campaign states that “2011 was a year with privacy discussions about Facebook, use of hacking by journalists, use of intelligent CCTV by police forces, use of twitter during urban riots, face recognition, smart houses and smart viewing of houses, and ICT for active ageing.”

The campaign has a the backing off most of Europe’s Data Protection Agencies e.g. the UK’s Information Commissioners Office and the European Data Protection Supervisor.


The European Data Protection Supervisor (EDPS) is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. He does so by monitoring the EU administration’s processing of personal data; advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.

Download the Privacy EDPS booklet here.


The Information Commissioner’s Office’s (ICO) mission is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. We rule on eligible complaints, give guidance to individuals and organisations, and take appropriate action when the law is broken. You can find out more about us in this section.

To coincide with the European Privacy Day the UK Information Commissioner has launch a campaign called Access Aware which calls on individuals be more careful when accessing Personally identifiable Information (PII).

The Access Aware tool kit can be downloaded here.

Access Aware is one of the first outcomes of the ICO’s information rights priority work. Banking and finance companies as well as health bodies have been identified as the worst performing sectors in relation to handling subject access requests.

  • The most complained about sector are the lenders. In 2010/11, over a third (34%) of completed data protection specific complaints concerning financial institutions were about mishandled subject access requests.
  • In 2010/11, almost half (45%) of data protection specific complaints about health bodies concerned mishandled requests.
  • In the same year, 34% of data protection specific complaints in the policing and criminal justice sector were about subject access.

Speaking on the 27th January 2012, ahead of the Privacy Day, the UK Information Commissioner, Christopher Graham said:

“Organisations that handle personal information need to remember that customer records are not simply their property – the individuals who do business with them also have rights. We are seeing far too many complaints that could easily have been avoided if they’d been given serious and timely consideration.

“The result of mishandling requests is not simply a blip on customer service satisfaction levels, it can cause individuals a great deal of upset. The people who are making these requests are not doing it for fun; the vast majority are seeking resolutions to real problems – such as being refused credit or making important decisions about their health. I hope businesses and bodies that handle personal data use European Data Protection Day as a prompt to think about ways to improve their subject access request handling. Our Access Aware materials have been designed to help them do just that.”


Who has the Information Commissioner caught in the last 3 months ?

Christopher Graham, the UK Information Commiss...
Image via Wikipedia

On the 7th September, The Information Commissioner’s Office (ICO) announced the results of its investigation into The University Hospital of South Manchester NHS Foundation Trust breached the Data Protection Act after it lost the personal data of 87 patients.

The information was lost after a medical student, who had been on a placement at the hospital’s Burns and Plastics Department, copied data onto a personal, unencrypted memory stick for research purposes. The student then lost the memory stick during a subsequent placement in December last year.

The ICO’s investigation uncovered that the hospital had “assumed” that the student had received data protection training at medical school and therefore did not provide them with the induction training given to their own staff.

Sally Anne Poole, Acting Head of Enforcement said: “This case highlights the need to ensure data protection training for healthcare providers is built in early on so that it becomes second nature. Medics handle some of the most sensitive personal information possible and it is vital that they understand the need to keep it secure at all times, especially when they are completing placements at several health organisations. NHS bodies have a duty to make sure their staff, both permanent and temporary, understands their responsibilities on day one in the job.

“While we are pleased that the University Hospital of South Manchester has taken action to avoid this oversight in the future, we will continue to work with healthcare bodies and education providers to make sure that data protection training is a mandatory part of people’s education.”

The London  Ambulance Service who breached the Data Protection Act after a personal laptop was stolen from a contractor’s home agreed a further undertaking. The laptop contained contact details and transport requirements relating to 2,664 patients who had previously used the Patient Transport Service. The Trust has now taken action to ensure that contractors are made aware of its existing policy on the use of personal data, which states that staff should not store patients’ information on their personal computers.

The list of ICO actions during the last 3 months is below:-

7 September 2011

  • An undertaking to comply with the seventh data protection principle has been signed by London Ambulance Service NHS Trust. This follows the theft of a personal unencrypted laptop containing patient data.
  • An undertaking to comply with the seventh data protection principle has been signed by University Hospital of South Manchester NHS Foundation Trust. This follows the loss of an unencrypted memory stick containing personal information relating to approximately 87 patients.

2 September 2011

  • An undertaking to comply with the seventh data protection principle has been signed by the Scottish Children’s Reporter Administration. This follows the sending of an email containing sensitive personal data relating to a child’s court hearing to an unknown third party and the temporary loss of 9 case files relating to the safety and welfare of children during an office move.
  • An undertaking to comply with the seventh data protection principle has been signed by Luton Borough Council. This follows a self reported breach concerning a flaw in the encryption function of a number of Council issue memory sticks. The flaw could allow memory sticks to be formatted removing encryption protection.

10 August 2011

  • An undertaking to comply with the seventh principle of the DPA has been signed by the London Borough of Greenwich. This follows two incidents where sensitive personal data was inadvertently disclosed, due to the Council’s failure to implement appropriate wording in their ICT policy, stating that the sending of sensitive personal data in business related emails to external webmail addresses should be avoided.

9 August 2011

  • An Undertaking to comply with the seventh data protection principle has been signed by Lush Cosmetics Ltd. This follows a malicious intrusion on their website which compromised approximately 5000 customer credit cards.

8 August 2011

  • An undertaking to comply with the seventh data protection principle has been signed by Bay House School after the personal details of nearly 20,000 individuals, including some 7,600 pupils, were put at risk during a hacking attack on its website.

5 August 2011

  • An undertaking to comply with the seventh data protection principle has been signed by HCA International Limited. This follows the theft of two unencrypted laptops containing sensitive personal data from one of the group’s hospitals in March.

4 August 2011

  • An undertaking to comply with the seventh data protection principle has been signed by the Chief Executives of Lewisham Homes Limited (the ICO website has Lewisham Council listed which is in correct) and Wandle Housing Association. This follows the discovery of an unencrypted USB stick containing thousands of tenant records and financial data in a London pub.

29 July 2011

  • An undertaking to comply with the seventh data protection principle has been signed by Kirklees Metropolitan Council. This follows the inappropriate disclosure of personal data by care workers contracted by Kirklees Metropolitan Council.

20 July 2011

  • An undertaking to comply with the seventh data protection principle has been signed by the University of York after it failed to close a test area on its website that contained thousands of students’ personal details. While no direct link was available for the test area from the University’s website, 148 records were inappropriately accessed.

19 July 2011

  • An undertaking to comply with the seventh data protection principle has been signed by Lancashire Police Authority (LPA). This follows the inappropriate disclosure of personal data on the LPA’s website containing sensitive personal data.

18 July 2011

  • An undertaking to comply with the seventh data protection principle has been signed by Northamptonshire Healthcare NHS Foundation Trust. This follows the loss of one individual’s medical records.

5 July 2011

  • An undertaking to comply with the seventh data protection principle has been signed by Ms Raisa Saley, Barrister at law, further to the loss of a bundle of court papers which containeded a considerable volume of sensitive personal data relating to a number of individuals from the same family.

1 July 2011

  • An undertaking to comply with the seventh data protection principle has been signed by Basildon and Thurrock University Hospitals NHS Foundation Trust. This follows the transmission of a fax containing sensitive personal data to the wrong recipient.
  • An undertaking to comply with the seventh principle of the DPA has been signed by Dunelm Medical Practice, further to the inappropriate facsimilie transmission and subsequent disclosure of two patient’s electronic discharge letters, which contained sensitive personal data, including medical information.
  • An undertaking to comply with the seventh data protection principle has been signed by East Midlands Ambulance Service NHS Trust. This follows the transmission of a fax containing sensitive personal data to the wrong recipient..
  • An undertaking to comply with the seventh data protection principle has been signed by the Ipswich Hospital NHS Trust. This follows the discovery of 29 patient records containing sensitive personal data in a public place.
  • An undertaking to comply with the seventh data protection principle has been signed by Lancashire Teaching Hospitals NHS Foundation Trust. This follows the faxing of sensitive personal data to a member of the public on more than one occasion.

28 June 2011

  • An undertaking to comply with the seventh data protection principle has been signed by Cherubs Community Playgroup. This follows the theft of an unencrypted laptop containing personal information relating to approximately 47 families.

14 June 2011

  • An undertaking to comply with the seventh data protection principle has been signed by CCTV monitoring website Internet Eyes Limited. This follows a complaint about a clip posted on video sharing website YouTube that contained an identifiable image of a person in a shop. The clip appeared to have been uploaded by a viewer who had used the CCTV footage streamed to their computer from the Internet Eyes website.
  • An undertaking to comply with the seventh data protection principle has been signed by Surbiton Children’s Centre Nursery. This follows the theft of a teacher’s bag containing an unencrypted memory stick and paperwork.

8 June 2011

  • An undertaking to comply with the seventh data protection principle has been signed by North Lanarkshire Council. This follows the theft of hard copy documents containing sensitive personal data.

The Commissioner was also very busy prior to the dates above but for the purposes of consolidation I have only included the last 3 Months worth.


Blog at

Up ↑

%d bloggers like this: