Co3 Systems, a maker of software that helps organizations prepare, assess, manage, and report on privacy breaches and security incidents, has expanded its Privacy Module with new coverage for privacy regulations in the European Union (EU).
Co3 Systems’ customers can now easily navigate the vast differences in the definition, regulation and communication of data breaches involving Personally Identifiable Information (PII) across the U.S. and the EU, the company said in an announcement on Tuesday.
New support for the EU adds to existing support for U.S. and Canadian privacy breach regulations, which the company updates on an ongoing basis.
“Privacy has the potential to be a new ‘Cold War’ between the U.S. and the EU,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “There are massive differences in economic and philosophical approaches to PII that put any organization that does business internationally at risk of substantial fines and loss of revenue, should they not comply with the letter of the laws.”
Co3’s Gant Redmon, an ongoing SecurityWeek Expert Contributor, has written several columns on the diverse and dynamic landscape, including the differences in the definitions of PII between the U.S. and the EU and the EU fears around the privacy implications of the Patriot Act.
The new coverage will help customers across three major areas, Co3 says, including:
· PII Definition and Identification: While U.S. breach laws tend to have very specific and tangible data elements that make up PII (Social Security numbers, credit cards, etc.) The EU definition is much broader, often defined as “information relating to an identified or identifiable individual.” Consideration is also given to data elements that are referred to in the EU as “Special Categories of Data” and include information like religious/philosophical beliefs, trade union memberships, racial/ethnic origin, health or sex life, and criminal activity.
· Regulatory Reporting Triggers and Responsibility: While U.S. breach laws primarily depend on the state of residence of the affected consumer, EU regulations relate more to where the office of the data controller is established or where processing takes place. This can make it very difficult for U.S. companies with offices in Europe to determine whether or not a breach needs to be reported, and timing can be equally as vague, with phrasing such as “as soon as the data controller becomes aware” of the incident (Ireland) or “the competent supervisory authority shall be notified without delay” (Germany).
· Non-regulatory Breach Communications: Some countries do not require notification expressly by a regulation, but highly recommend the practice from within their own Data Protection Authority. In those countries, notification can be viewed as an effort to reduce the risk of harm to individuals by allowing them to take proper precautions. This is the case in Denmark, Ireland and the UK. There have been court cases in Denmark where the interpretation leans to the side of treating it as a legal requirement.
“The U.S. and European systems of privacy regulations are quite complex in their own right. Trying to span both is made more complex as each has a fundamental difference on the definition of privacy,” said John Bruce, CEO at Co3 Systems. “The cost and uncertainty that this environment creates can be a severe impediment to international business growth. Co3 offers a way to reduce this complexity and completely automate the process of preparing for, and ultimately managing breaches and their business impact, independent of territorial wrinkles that arise each day as regulations and guidance evolve.”
Co3 also provides customers with a knowledgebase of regulations and best practices maintained by Co3 experts and Co3 customers.
The new features are accessible to Co3 Privacy Module customers at no additional cost, the company said.