The new European Union regulation requiring mandatory personal data breach disclosures by telecoms operators and internet service providers (ISPs) comes into force on Sunday 25 August 2013.
The new regulation builds out the security breach provisions for telecoms providers and ISPs introduced into EU law in 2009 through the E-Privacy Directive 2009/136/EC.
From 25 August, all EU telcos and ISPs will be required to notify national authorities of any theft, loss or unauthorised access to personal customer data, including emails, calling data and IP addresses.
Details concerning any incident, including the timing and circumstances of the breach, nature and content of the data involved, and likely consequences of the breach, must be reported.
“Controversially, the regulation requires breach notification to national regulators within 24 hours of detection, subject to a "feasibility" request,” said Stewart Room, privacy and information partner at law firm Field Fisher Waterhouse.