European banking breach guidelines more strict than EU GDPR

News by SC Staff

Guidelines to payment service providers, supplied by the European Central Bank, call for reporting of a breach within two hours compared to the EU GDPR requirement for reporting within 72 hours.

Payment service providers (PSPs) have been issued with guidelines to follow in the event of a security breach in a new consultation paper issued by the European Banking Authority (EBA) working with the European Central Bank (ECB)

Suggested mandates include notifying authorities of an incident within two hours from the moment the breach is detected, compared to the General Data Protection Regulation (GDPR) requirement of notice within 72 hours of breach detection.

The proposed two-hour notification, which would be the first in a series of required reports, is part of a standardised template which the regulators say will help manage information throughout the investigation of a security breach. Initial reports are not expected to provide detailed information, but serve as an overview of what occurred and the impact it might have had.  While the two-hour window sounds draconian, “only a “high-level notification” is required immediately, said Robert Bond, a data protection expert and partner at Charles Russell Speechlys talking to US press.

According to the consultation paper, “These draft guidelines set out the criteria, thresholds and methodology to be used by payment service providers in order to determine whether an operational or security incident should be considered major and, therefore, be notified to the competent authority in the home member state.”

There will be a public hearing on the consultation at the EBA on 9 February, 2017 and comments on  the consultation should be sent  7 March 2017.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews