The European Banking Authority (EBA) working with the European Central Bank (ECB) recently released a consultation paper on guidelines for payment service providers (PSPs) to follow in the event of security breaches. Among the suggested mandates is notifying authorities of an incident within two hours from the moment the breach is detected—that’s significantly faster than the breach notification requirements set to go into force next year under the General Data Protection Regulation (GDPR), which requires notice within 72 hours of breach detection. The GDPR also applies to U.S. companies that process information and intend to offer products or services to people in the EU, or monitor people in the EU, according to legal experts at Bryan Cave.
The proposed two-hour notification, which would be the first in a series of required reports, is part of a standardized template, the regulators say will help manage information throughout the investigation of a security breach. Initial reports are not expected to provide detailed information, but serve as an overview of what occurred and the impact it might have had.
The two-hour window “appears dramatic,” but only a “high-level notification” is required immediately, Robert Bond, a data protection expert and partner at Charles Russell Speechlys, told PaymentsCompliance.
Intermediate breach reports are required to keep authorities informed and should be submitted within three business days, according to the proposal. Final reports should provide full information of the incident, including a detailed description of what happened, the impact it had and how it was solved. PSPs have two weeks after business is deemed back to normal to provide final reports.
“These draft guidelines set out the criteria, thresholds and methodology to be used by payment service providers in order to determine whether an operational or security incident should be considered major and, therefore, be notified to the competent authority in the home member state,” according to the consultation paper.
A public hearing on the consultation will take place at the EBA premises on Feb. 9, 2017. Comments regarding the consultation are due by March 7, 2017, and can be sent to the EBA by clicking on the “send your comments” button on the Website.
- EBA Publishes Final Draft of Standards Affecting Card Schemes, Processors
- Viewpoint: Don’t Fear the Breacher
- Part of Europe’s PSD2 Promises to Change the Handling of Payment Data
Image Credits: wk1003mike