Jennifer Baker reports:
European Union justice ministers will consider a “two-strikes” rule for data breaches.
The Irish Presidency of the European Council published a paper on the protection of citizens’ personal data that will be discussed at Justice and Home Affairs Council in Dublin on January 17 and 18.
The paper asks European justice ministers to consider whether sanctions, such as fines, “should be optional or at least conditional upon a prior warning or reprimand.”
Read more on ComputerworldUK.
This makes NO sense. I read this and immediately thought – Oh, Its OK to get breached the first time and have the potential not to get fined.
Isn’t that sending the WRONG message? It means that companies that consider security and compliance to regulations may be a bit lax on that isue, gambling that the revenue pile can be higher if less is spent on security controls. Then if they are fined, they have at least 2 strikes before they have to do anything about it. Thats the way a shady company would read it.
Yeah it says optional. I don’t see any government doing an optional plan.
Fines should be a mandatory thing based upon research that is related to an out of pocket cost for an individual to pay for Identity coverage and other services related to a very similar breach.
Giving organizations a way out only muddies the water and will make it even harder to have these places get to a set standard.
This is a real bad idea.
You realize that our FTC also doesn’t fine on a first offense and can only fine for a second or repeat offender, right?