Today brings news that the EU will require telecommunications companies to inform affected parties on data breaches. Although some would argue (and are arguing) that this measure should extend to all businesses – and we agree, eventually – the EU measure is a critical first step. Since the telecommunications companies and service providers have online components as well as the means to store vast amounts of customer data, starting measures with these groups makes sense.
We fully expect data protection measures to extend to different business types and industries, but these extensions should be done in a measured, controlled manner. The very worst thing that the EU could do is impose broad, blanket data protection measures that would affect all industries immediately. Historically, these measures (for example Sarbanes-Oxley in the United States) have created compliance costs and headaches that can be as difficult to maneuver as the problems they were intended to solve.
Rather than bemoan the fact that the measures are starting with the telecos, let’s look to this an important first move that is being done correctly and gives all businesses time to prepare for the inevitable cross-industry data protection measures that will emerge in the coming years.