SOURCE: Co3 Systems

Co3 Systems

July 16, 2013 09:03 ET

Co3 Systems Simplifies International Privacy Breach Compliance

Adds Complete European Union Support to Regulatory Knowledgebase; Supports Latest U.S. Regulatory Changes

CAMBRIDGE, MA--(Marketwired - Jul 16, 2013) - Co3 Systems, the leader in Security Incident Response software, today announced that it has gone global by expanding its Privacy Module with comprehensive coverage for privacy regulations in the European Union (EU). This first-of-its-kind advancement allows organizations to easily navigate the vast differences in the definition, regulation and communication of data breaches involving Personally Identifiable Information (PII) across the U.S. and the EU. The company constantly updates its knowledgebase to cover the latest in changing U.S. and Canadian privacy breach regulations, which will now include the EU.

"Privacy has the potential to be a new 'Cold War' between the U.S. and the EU," said Larry Ponemon, chairman and founder of the Ponemon Institute. "There are massive differences in economic and philosophical approaches to PII that put any organization that does business internationally at risk of substantial fines and loss of revenue, should they not comply with the letter of the laws. Fortunately, Co3 Systems has become an expert in deciphering these differences, so their customers don't have to."

Co3 experts have documented and written extensively on this highly diverse and dynamic landscape, including the differences in the definitions of PII between the U.S. and the EU and the EU fears around the privacy implications of the Patriot Act, which are sure to be exacerbated by recent events. The new coverage assists customers across three major areas:

  • PII Definition and Identification: While U.S. breach laws tend to have very specific and tangible data elements that make up PII (Social Security numbers, credit cards, etc.) The EU definition is much broader, often defined as "information relating to an identified or identifiable individual." Consideration is also given to data elements that are referred to in the EU as "Special Categories of Data" and include information like religious/philosophical beliefs, trade union memberships, racial/ethnic origin, health or sex life, and criminal activity.
  • Regulatory Reporting Triggers and Responsibility: While U.S. breach laws primarily depend on the state of residence of the affected consumer, EU regulations relate more to where the office of the data controller is established or where processing takes place. This can make it very difficult for U.S. companies with offices in Europe to determine whether or not a breach needs to be reported, and timing can be equally as vague, with phrasing such as "as soon as the data controller becomes aware" of the incident (Ireland) or "the competent supervisory authority shall be notified without delay" (Germany).
  • Non-regulatory Breach Communications: Some countries do not require notification expressly by a regulation, but highly recommend the practice from within their own Data Protection Authority. In those countries, notification can be viewed as an effort to reduce the risk of harm to individuals by allowing them to take proper precautions. This is the case in Denmark, Ireland and the UK. There have been court cases in Denmark where the interpretation leans to the side of treating it as a legal requirement.

"The U.S. and European systems of privacy regulations are quite complex in their own right. Trying to span both is made more complex as each has a fundamental difference on the definition of privacy," said John Bruce, CEO at Co3 Systems. "The cost and uncertainty that this environment creates can be a severe impediment to international business growth. Co3 offers a way to reduce this complexity and completely automate the process of preparing for, and ultimately managing breaches and their business impact, independent of territorial wrinkles that arise each day as regulations and guidance evolve."

Co3 will be hosting a webinar next week exploring the topic of the USA Patriot Act of 2001 compared to the ways that other countries combat terrorism, and how these relate to privacy. The webinar will be on July 24 and feature experts including Stewart Baker, Partner, Steptoe & Johnson LLP and Former Assistant Secretary for Policy at the Department of Homeland Security and General Counsel of the NSA, Michael Vatis, Partner, Steptoe & Johnson LLP and Gant Redmon, Esq. CIPP/US General Counsel, Co3 Systems.

A major component of Co3's value is the active knowledgebase of regulations and best practices that experts and the Co3 customer base keep updated in real-time. In addition to the European regulations, the latest Co3 release includes support for changes in U.S. state privacy regulations:

  • Texas: Expanded their breach notification requirement so that Texas companies must notify individuals regardless of their location of residence. Companies have the option of notifying under the Texas regulation or under the consumers' state of residence, but either way, they need to be notified of the breach. So, if a person lives in a geographical area that does not have its own requirements, the organization must notify according to the Texas regulation.
  • Vermont: Breach notification regulations now require organizations that are regulated by the Department of Financial Regulations to notify that department of a breach. Previously, such organizations, if regulated by the Graham-Leach-Bliley Act (GLBA), did not have to notify a state regulator in Vermont. Entities that are not covered by GLBA will still be required to notify the Vermont Attorney General.
  • North Dakota: Adds medical information and health insurance information to the definition of personal information, thereby extending its breach notification requirement to include these data types. The state has also added an exception for the Health Insurance Portability and Accountability Act (HIPAA) covered entities, business associates, and subcontractors; meaning that these organizations are considered to be in compliance with the North Dakota regulation if they are already subject to HIPAA requirements.

Pricing and Availability
The new features are accessible to Co3 Privacy Module customers at no additional cost. The Privacy Module is licensed annually by the number of seats; support is included in the annual subscription.

Total Security Incident Response
Co3's Privacy Module was the market's first daily use and preparedness tool for privacy incidents and is considered today as the industry standard. It provides an easy, automated way to ensure consistency and accountability -- across teams, organizations and external stakeholders -- in managing incidents that concern PII. Co3's Security Module extends the capability to manage response to security events such as malware infections, phishing-related compromise, Distributed Denial of Service (DDoS) attacks, device or Intellectual Property theft, and system intrusions. Together, the Modules provide the most comprehensive solution to prepare, assess, manage, and report on privacy breaches and security incidents.

Follow Co3 Systems:
Co3 Systems Blog:
Events & Webinar Series:
Twitter: @co3sys

About Co3 Systems:
Headquartered in Cambridge, MA, Co3 Systems is an innovator in Security Incident Response solutions. The company's SaaS-based offering enables organizations of all sizes to efficiently prepare for and rapidly manage the Incident Response Process for Security incidents or Privacy breach events. Companies using Co3 demonstrably minimize the costs resulting from incidents. With funding from Fairhaven Capital, the company's executive team and advisors comprise security experts from world-leading security, software and service organizations. On the web at

Contact Information

  • Contact:
    Jennifer Torode
    CHEN PR for Co3 Systems
    Email Contact
    (781) 672-3119