Connect with us

Hi, what are you looking for?


Incident Response

Co3 Systems Helps Organizations Comply With EU Privacy Breach Laws

Co3 Systems, a maker of software that helps organizations prepare, assess, manage, and report on privacy breaches and security incidents, has expanded its Privacy Module with new coverage for privacy regulations in the European Union (EU).

Co3 Systems, a maker of software that helps organizations prepare, assess, manage, and report on privacy breaches and security incidents, has expanded its Privacy Module with new coverage for privacy regulations in the European Union (EU).

Co3 Systems’ customers can now easily navigate the vast differences in the definition, regulation and communication of data breaches involving Personally Identifiable Information (PII) across the U.S. and the EU, the company said in an announcement on Tuesday.

New support for the EU adds to existing support for U.S. and Canadian privacy breach regulations, which the company updates on an ongoing basis.

“Privacy has the potential to be a new ‘Cold War’ between the U.S. and the EU,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “There are massive differences in economic and philosophical approaches to PII that put any organization that does business internationally at risk of substantial fines and loss of revenue, should they not comply with the letter of the laws.”

Co3’s Gant Redmon, an ongoing SecurityWeek Expert Contributor, has written several columns on the diverse and dynamic landscape, including the differences in the definitions of PII between the U.S. and the EU and the EU fears around the privacy implications of the Patriot Act.

The new coverage will help customers across three major areas, Co3 says, including:

· PII Definition and Identification: While U.S. breach laws tend to have very specific and tangible data elements that make up PII (Social Security numbers, credit cards, etc.) The EU definition is much broader, often defined as “information relating to an identified or identifiable individual.” Consideration is also given to data elements that are referred to in the EU as “Special Categories of Data” and include information like religious/philosophical beliefs, trade union memberships, racial/ethnic origin, health or sex life, and criminal activity.

Advertisement. Scroll to continue reading.

· Regulatory Reporting Triggers and Responsibility: While U.S. breach laws primarily depend on the state of residence of the affected consumer, EU regulations relate more to where the office of the data controller is established or where processing takes place. This can make it very difficult for U.S. companies with offices in Europe to determine whether or not a breach needs to be reported, and timing can be equally as vague, with phrasing such as “as soon as the data controller becomes aware” of the incident (Ireland) or “the competent supervisory authority shall be notified without delay” (Germany).

· Non-regulatory Breach Communications: Some countries do not require notification expressly by a regulation, but highly recommend the practice from within their own Data Protection Authority. In those countries, notification can be viewed as an effort to reduce the risk of harm to individuals by allowing them to take proper precautions. This is the case in Denmark, Ireland and the UK. There have been court cases in Denmark where the interpretation leans to the side of treating it as a legal requirement.

“The U.S. and European systems of privacy regulations are quite complex in their own right. Trying to span both is made more complex as each has a fundamental difference on the definition of privacy,” said John Bruce, CEO at Co3 Systems. “The cost and uncertainty that this environment creates can be a severe impediment to international business growth. Co3 offers a way to reduce this complexity and completely automate the process of preparing for, and ultimately managing breaches and their business impact, independent of territorial wrinkles that arise each day as regulations and guidance evolve.”

Co3 also provides customers with a knowledgebase of regulations and best practices maintained by Co3 experts and Co3 customers.

The new features are accessible to Co3 Privacy Module customers at no additional cost, the company said.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.