The European Network and Information Security Agency (ENISA) has published a report on "Data Breach Notifications in the EU" to support the introduction of mandatory personal data breach notification following the EU Telecommunications Regulation Reform Package in 2009. That legislation requires the new rules to be transposed into the national laws of the 27 member states by May 2011.

The report will not only be useful to public authorities such as data protection agencies (DPAs), but also for those in the electronic communication sector directly affected by the legislation — communications providers including telecoms companies and internet service providers (ISPs). It will also be of use to any organisation developing policies and processes in the area of internal or external notification, regardless of whether r not there is a legal requirement.

The report is largely based on the results of a survey of 46 organisations conducted using interviews and questionnaires. The organisations primarily included DPAs, telecommunications operators and some other private sector organisations located in Europe. There is a good description of the legislative background including examples of existing local requirements/guidance in Germany, Ireland, Spain and the United Kingdom. In the UK, there is currently no legal duty to notify breaches (see ICO guidelines), but other mandates such as contracts, policies or requirements of trade organisations might dictate otherwise. There is a also a summary of working definitions and criteria for personal data, data subjects and data breaches across Europe, which is not as homogenous as you might hope.

The chapter about the private sector provides a good insight into operators' existing notification practices and incident handling procedures. It also examines the divergent objectives between regulatory authorities and the private sector. Remember that "breaches" are not only incidents relating to data loss. All aspects of privacy legislative contraventions need to be considered.

The ENISA report concludes with a list of aspects requiring further definition to simplify the transition to mandatory notification, and to ensure better harmonisation across the member states. Time may be against all these occurring before May 2011.

Other sectors - keep watching!

Last week, Google announced an additional tier of user security notification in its search results. Sites which Google believes have been hacked or otherwise compromised, but do not yet host malware may be marked with "This site may be compromised" on search engine result pages.

This status is not as severe as notifying users that the site hosts malware, when "This Site May Harm Your Computer" is displayed, but take it as an important warning. Compromise often leads to malware hosting. See my previous post about suggestions on to prepare for such an event — these are identical for "This site may be compromised".

Unlike requesting a review after malware has been cleaned up, the process for recovering a clean status in Google for a previously compromised site, uses the Request Reconsideration Form.

Google may also remove sites completely from its indexes and search results. This could be due to not having access, content such as malware, incorrect use of the robots exclusion standard, incomplete site maps, incorrect HTTP status codes, or other reasons that lead to a breach of its webmaster guidelines. Sites may also be removed or excluded due to legal action (e.g. if Google receives a Cease and Desist Notice - examples).

There is another tier which doesn't really fit in the above diagram — sites which use common application software which is out-of-date or which is known to contain security vulnerabilities, may receive WebMaster Tools messages, but this information is not currently displayed to search engines users.

Remember, just because Google has not detected use of old/vulnerable application software, or detected compromise or detected malware, this doesn't mean these none of these are true. Verify your own web applications, and have a plan in place in case any of these occur. Oh, and make someone accountable.

I read about a new web site which should be a useful resource for people who market or communicate to children. Great I thought.

But then I saw the domain name: www.check.uk.com

Why is this Check web site on a sub-address of someone else's domain? It could at least have been a sub-domain of the Advertising Association e.g. check.adassoc.org.uk - how will they deal with domain reputation issues such as malware reports? The fundamentals just haven't been thought about.

I can understand, but don't agree with, the decision to embed Google Analytics code within these pages and making JavaScript mandatory. I also think it's rather weak to have this in the privacy "policy":

I know this Check web site isn't itself aimed at children, but even the Information Commissioner's Office (ICO) recommends privacy pages are called "privacy notices" and produce a clear guidance document on the topic. There aren't even any contact details on the page about privacy.

Apart from that, the advice looks helpful.

"This Site May Harm Your Computer" is displayed by Google as a safe browsing advisory in its search results when it has found suspicious content during content crawling and indexing. The effect on traffic can be dramatic; especially for e-commerce sites.

I keep speaking with people where their online sales have dropped 50-100% within a few days of such a notice appearing.

The best thing of course is to try to avoid becoming listed as having suspicious content in the first place. That's where securing your web site, applications and related systems comes in. But you also want to find out as soon as possible if one of your web sites is being flagged as harmful, so that you can investigate the cause, fix the problems and remediate altered data.

What can you do in advance to help yourself and make sure you know as soon as possible?

1. Register as the site owner (you—not your developers or hosting company)with:
   • Google Webmaster Tools
   • Norton Safe Search
   which will alert you by email when problems are detected, and provide a quicker way to request your site is re-evaluated after problems have been resolved; ensure this email account is monitored 24h/d.
2. Check malware monitoring sites regularly:
   • Google Safe Browsing http://www.google.com/safebrowsing/diagnostic?site=[yourhostname]
   • McAfee SiteAdvisor http://www.siteadvisor.com/sites/[yourhostname]
   • McAfee TrustedSource https://www.trustedsource.org/query/[yourhostname]
   • Norton Safe Web http://safeweb.norton.com/report/show?url=[yourhostname]
   • Stop Badware http://stopbadware.org/home/reportsearch
3. Examine search results yourself (Bing, Google, Yahoo) using automated methods where possible (e.g. create a content/uptime monitoring alert which looks for the word 'harm' or 'malware' in each search engine's results page that will always include your web site).
4. Install security widgets (such as McAfee SiteAdvisor or Norton Safe Web) in your own web browsers and visit your own web sites.
5. Scan your own web site for malware using professional services, although there are some free tools available (e.g. Qualys Stop Malware or AVG Online Scan).
6. Browse your own web sites using computers with a range of anti-malware (anti-virus) software installed and configured in the most paranoid mode.
7. Build logging and monitoring into your web sites and applications which will detect unusual activity and unauthorised changes to files and other data.

Web site owners cannot register in advance with McAfee SiteAdvisor, but keep the URL handy so you can contact them if necessary.

But do remember, like other "reviews", organisations that display warnings about your site are under no obligation to respond or change the adverse status within any particular timescale. It's best not to become blacklisted in the first place.