Ie: Mandatory reporting of security breaches on the way
John Kennedy reports:
Ireland’s Data Protection Commissioner has unveiled a new draft Code of Practice that sets out the reporting obligations of organisations in the event of a security breach and how they go about protecting private data.
The draft Code of Practice has been placed on the website of the Office of the Data Protection Commissioner and the commissioner has invited comments from members of the public and organisations.
Direct link to the draft code, which does contain a safe harbor provision for encrypted data or data that were protected by a strong password and can be and have been remotely wiped before data could be accessed.
Interestingly, the draft code would only give data controllers two days to report the incident to the Commissioner following discovery, but the draft code seems to leave a lot of wiggle room as to whether data controllers must inform those whose data have been breached.