Joe Anthony, director of security, risk and compliance product management at IBM, has slammed the latest reforms to EU's data protection laws, claiming that 24 hours isn't long enough for companies to make meaningful notifications to authorities.
He claims that although companies could detect a breach and start the disclosure process, the full extent of the breach might not yet be understood.
It was confirmed in January that companies suffering data breaches will have 24 hours to tell the relevant authorities or risk legal action and large fines, which could reach up to five percent of turnover.
The shake-up of EU’s data protection rules is being pushed through in a bid to eliminate disparity between different laws across the EU’s 27 states.
Anthony, however, claims that the new proposals will result in companies providing details of breaches to authorities that will not be representative of how significant the problem is.
“I do think that accountability is important, but it will be difficult for companies to notify authorities that quickly,” said Anthony.
“A data breach is very significant, but you need to do some probing to fully understand the full extent of the breach and I doubt many companies have the capabilities to do that within 24 hours,” he added.
“Even if you detect a breach, it may have occurred in more than just a single application or a single database, which is why time is needed to carry out investigations.”
Anthony argued that in order to make the short notice period more manageable, companies need to move away from manual processes and automate their security systems.
“Automation would make this significantly easier for businesses. For example, if a system notifies me that a certain database was breached, the more automated it was, I would be able to know which people had access to that database and for what purpose,” he said.
“Automation would allow a company to detect the breach in a shorter timeframe and instantly provide details of all the different people who had access to it.”
The proposed changes to EU data protection laws are still in the early stages of development and are yet to be approved by EU member states and the European Parliament. It could be a number of years before it is fully implemented by all 27 member states.