European Union proposal could foil U.S. hacker probes

Cesare Abbate/Newscom

Internet privacy protections that the European Commission introduced this week could undermine American investigations into stateside data breaches, some security and legal experts say.

Several of the reforms focus on safeguarding data in the cloud, where online applications are managed by an offsite company's computer centers. Europe's proposed rules would require U.S.-based cloud computing providers with European Union customers to notify EU authorities of a data breach within 24 hours of detection.

"There are no borders online and cloud computing means data may be sent from Berlin to be processed in Boston and stored in Bangalore," commission officials noted when unveiling their agenda Wednesday. The recommendations require data handlers to "notify data breaches without undue delay to both [EU] data protection authorities (which, where feasible, should be within 24 hours) and the individuals concerned."

But some corporate attorneys say the 24-hour rule could focus efforts on documenting an incident at the expense of resolving it. Often, American authorities and U.S. firms prefer to keep details of a compromise on the down low until they understand the extent of an intrusion.

"Companies will have to put their resources into preparing their breach report -- not figuring out how big the problem is or capturing the criminal," said Jonathan P. Armstrong, a London-based partner with law firm Duane Morris. "Do you want to stop people from getting hurt or tell them when they have been hurt?"

Businesses also do not want to notify the hackers that they are being sought, thus allowing them to escape. "I'll know much sooner that they're on to me" is the criminal's mentality about the 24-hour deadline, Armstrong said.

Todd Thiemann, a senior director for data security firm Vormetric, said, "it's going to put a lot of executives between a rock and a hard place when a breach happens. And it's not if, it's when."

In addition, U.S. firms may be hesitant to sound an alarm if the "breach" turns out to be a misplaced laptop discovered safe and sound two days later. "Twenty-four hours might be too soon to declare something is missing in action," Armstrong said.

Furthermore, he said, immediate notifications could create a boy-who-cried-wolf situation where breach alerts become so routine that no one knows when a threat is real. "If you get seven reports of a breach, you're probably going to start hitting delete. I think we should reserve telling people about a breach for the most serious breaches," he said. Although firms likely will not have to notify U.S. citizens, Twitter is sure to spread the word from across the pond, he added.

Officials at industry group TechAmerica welcomed the effort to harmonize global regulations on data privacy but, James Lovegrove, the organization's managing director for Europe, said, "the real concern is that many of the proposed rules will inhibit the free flow of information globally and make it difficult for global businesses to operate and invest in Europe due to greater legal uncertainty, increased administrative burdens and the risk of fines."

U.S. officials last spring proposed their own breach notification rules, but the recommendations would allow companies 60 days to inform consumers whose personal information has been compromised. Europe's actions were partly fueled by several major 2011 assaults against Sony's PlayStation Network. Customers seethed after hearing the entertainment giant waited a week before telling customers it had discovered an intrusion on April 19.

Fact sheets on Europe's plan explain the need for reforms by pointing to what sounds like the Sony incident: "Hackers attacked a gaming service which targets users in the EU. The breach affected databases containing personal data (including names, addresses and possibly credit card data) of tens of millions of users worldwide. The company waited for a week before notifying the users concerned."

U.S. officials, according to PCWorld , have expressed reservations about the 24-hour rule, saying it is "simply too short."

The commission's strategy is not a sure thing. First, the European Parliament and member states must approve the proposal and, even if agreed to in full, the rules would not take effect until two years later.

Still, "this is more motivation for U.S. IT companies, whether they are catering to the U.S. federal government or the EU, to step up their game in terms of data security," Thiemann said.