The European Commission recently passed legislation requiring public telecommunication companies to notify regulators within 24 hours of security breaches of their data. A more detailed account of the security breach must be reported within 3 days after the initial report.
The Telecom must also notify the private individuals affected by the security breach if it is likely to adversely affect their personal data or privacy- a determination that is left wholly within the hands of the Telecoms itself. The private individual must be notified without “undue delay,” although no specific timeframe is mandated.
Further information is available at: http://www.mondaq.com/x/258672/data+protection/European+Commission+Tightens+The+Deadline+Data+Breach+Notification+Within+24+Hrs&email_access=on