CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Co3 Systems Helps Organizations Comply With EU Privacy Breach Laws

Co3 Systems, a maker of software that helps organizations prepare, assess, manage, and report on privacy breaches and security incidents, has expanded its Privacy Module with new coverage for privacy regulations in the European Union (EU).

Co3 Systems, a maker of software that helps organizations prepare, assess, manage, and report on privacy breaches and security incidents, has expanded its Privacy Module with new coverage for privacy regulations in the European Union (EU).

Co3 Systems’ customers can now easily navigate the vast differences in the definition, regulation and communication of data breaches involving Personally Identifiable Information (PII) across the U.S. and the EU, the company said in an announcement on Tuesday.

New support for the EU adds to existing support for U.S. and Canadian privacy breach regulations, which the company updates on an ongoing basis.

“Privacy has the potential to be a new ‘Cold War’ between the U.S. and the EU,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “There are massive differences in economic and philosophical approaches to PII that put any organization that does business internationally at risk of substantial fines and loss of revenue, should they not comply with the letter of the laws.”

Co3’s Gant Redmon, an ongoing SecurityWeek Expert Contributor, has written several columns on the diverse and dynamic landscape, including the differences in the definitions of PII between the U.S. and the EU and the EU fears around the privacy implications of the Patriot Act.

The new coverage will help customers across three major areas, Co3 says, including:

· PII Definition and Identification: While U.S. breach laws tend to have very specific and tangible data elements that make up PII (Social Security numbers, credit cards, etc.) The EU definition is much broader, often defined as “information relating to an identified or identifiable individual.” Consideration is also given to data elements that are referred to in the EU as “Special Categories of Data” and include information like religious/philosophical beliefs, trade union memberships, racial/ethnic origin, health or sex life, and criminal activity.

· Regulatory Reporting Triggers and Responsibility: While U.S. breach laws primarily depend on the state of residence of the affected consumer, EU regulations relate more to where the office of the data controller is established or where processing takes place. This can make it very difficult for U.S. companies with offices in Europe to determine whether or not a breach needs to be reported, and timing can be equally as vague, with phrasing such as “as soon as the data controller becomes aware” of the incident (Ireland) or “the competent supervisory authority shall be notified without delay” (Germany).

Advertisement. Scroll to continue reading.

· Non-regulatory Breach Communications: Some countries do not require notification expressly by a regulation, but highly recommend the practice from within their own Data Protection Authority. In those countries, notification can be viewed as an effort to reduce the risk of harm to individuals by allowing them to take proper precautions. This is the case in Denmark, Ireland and the UK. There have been court cases in Denmark where the interpretation leans to the side of treating it as a legal requirement.

“The U.S. and European systems of privacy regulations are quite complex in their own right. Trying to span both is made more complex as each has a fundamental difference on the definition of privacy,” said John Bruce, CEO at Co3 Systems. “The cost and uncertainty that this environment creates can be a severe impediment to international business growth. Co3 offers a way to reduce this complexity and completely automate the process of preparing for, and ultimately managing breaches and their business impact, independent of territorial wrinkles that arise each day as regulations and guidance evolve.”

Co3 also provides customers with a knowledgebase of regulations and best practices maintained by Co3 experts and Co3 customers.

The new features are accessible to Co3 Privacy Module customers at no additional cost, the company said.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.