A huge challenge looms for IT security departments, and it isn't a new hacking group or sophisticated malware.
Companies have 18 months to prepare for the most rigorous data privacy regulation to date. The European Union’s General Data Protection Regulation (GDPR), signed into law by the European Parliament, aims to break the trend of weak protection for consumers from data breaches.
Between the GDPR’s upcoming May 25, 2018 enforcement date and recent record fines from other regulatory authorities, 2017 should mark a watershed for cybersecurity regulation.
GDPR: Regulation with Teeth
The enforcement of GDPR gives companies a concrete deadline to implement controls on the way they use and store data. Digital information is the brick-and-mortar of new business models, but companies currently tend to treat it like a cheap commodity.
When a company collects data, it is on loan. The lender can ask for the data back, check if it is being used properly and demand the company does not loan it to someone else without their approval.
This is the gist of the GDPR’s requirements. Simple in theory, but a huge project for companies to put in place across millions of customer records.
The transformative aspect of the GDPR, however, comes from the breadth and severity of its enforcement.
Here are the four provisions that make the GDPR different:
1. You Can Run, But You Can’t Hide
In a digital economy, cross-border commerce occurs with a few clicks.
The pre-existing law only applied to companies headquartered in the EU. Starting in May of 2018, any company with data on EU consumers has to comply with the GDPR, even if they are not based in the EU.
Nearly every internet service in the world will now be held to the same strict standards outlined in the law.
2. No Handing-Off Responsibility
With the ease of software integration, a handful of third-party tools might have access to a company’s database.
According to the GDPR, responsibility for protecting data never leaves the hands of the original collector. Any company that receives personal data will also need to comply with the law.
The average company exchanges data with 1,555 business partners, so satisfying this part of the law will be a huge project on its own.
3. Coming Clean on Breach Notification
Much of the controversy around companies’ cybersecurity efforts centers around the delay between cybersecurity incidents and when victims find out their data has been compromised.
The GDPR requires a strict breach notification window of 72 hours within any data loss. As a sign of the work to come, currently only 44.5 percent of companies have a complete breach response plan.
4. Fines Beyond a Slap on the Wrist
In the past, data breach fines have amounted to "pocket money" relative to the companies’ finances. Under the GDPR, maximum fines will increase to 4 percent of global revenue or €20 million (about 25 million US dollars) — whichever is higher.
The hefty cost of a data breach should make compliance departments think twice about violating the regulation.
Rising Data Breach Price Tags
The EU has undertaken a concerted effort to usher in the information security capabilities necessary for the digital age.
The European Parliament more recently passed a directive requiring minimum cybersecurity capabilities for critical infrastructure, a sector that came under the microscope after attacks on a New York state dam and a Ukrainian power plant.
Existing regulations are also cracking down on blatant information security failures.
- St. Joseph Health, an Irvine, Calif.-based healthcare organization, will pay a HIPAA violation fine of $2.1 million
- TalkTalk, a British service provider, became the recipient of a record fine by the UK’s Information Commissioner’s Office (ICO) of £500,000 or around $633,000 (As a reference for the severity of GDPR, the maximum fine would be around $93 million)
Incoming regulations aren't the only factor putting pressure on IT security teams. In addition to its fine, TalkTalk suffered direct breach-related costs of $76 million, a revenue drop of $101 million, an 11 percent drop in share price and a 4.4 percent decline in market share. The total cost of the breach makes the fine look paltry.
An analysis of disclosures to the SEC revealed that 83 percent of public companies are most worried about the reputational damage that comes with a data breach. TalkTalk’s breach confirmed this fear, with loss of revenue costing the company more than direct payments to resolve the breach.
The Days of Ignoring Data Security Are Over
Privacy regulations have long been derided as too weak to influence companies’ behavior in a meaningful way.
The GDPR will put the hypothesis to the test with much stricter requirements protecting individuals’ data. Either through regulations or market forces, expect companies to take on major projects to modernize their information security capabilities or pay the price.