Jonathan Stearns, Bloomberg:
The European Parliament endorsed legislation that will impose security and reporting obligations on service operators in industries such as banking, energy, transport and health and on digital operators like search engines and online marketplaces. The law, voted through on Wednesday in Strasbourg, France, also requires EU national governments to cooperate among themselves in the field of network security.
The rules “will help prevent cyberattacks on Europe’s important interconnected infrastructures,” said Andreas Schwab, a German member of the 28-nation EU Parliament who steered the measures through the assembly. EU governments have already supported the legislation.
This is a good-natured law that I think will significantly improve security protocols used by major companies, and encourage them to more readily report breaches. That’s desperately needed — recall that LinkedIn was a public company with 200 million members four years ago, when their systems were breached. Over 100 million passwords were stolen, yet LinkedIn only acknowledged “some” at the time. It wasn’t until this year when they admitted to the full scale of the theft. If LinkedIn covered it up for PR reasons, that’s bad; if they didn’t know about the theft in 2012, that’s arguably worse.
But more needs to be done. Not only should systems be hardened and reporting procedures be set in place, these companies ought to be collecting and storing less personal information. That’s the kind of decision that would reduce the incentive for this kind of crime while improving all of our privacy and security, regardless of the chance of a corporate-level breach.
Postscript: I adjusted Bloomberg’s headline because the word “cybersecurity” makes me feel like I should switch on some Eiffel 65. I asked on Twitter and Victor Pope suggested “information security”, but it doesn’t feel quite right in this context. Sonya Mann’s choice, “network security”, seems more right, but still a little clunky to me. If you have a suggestion for a better phrase, please let me know. Together, we have already bid farewell to CSI: Cyber; now, it is time for us to rid the world of the word “cyber” in all its forms.