U.S. companies could see tighter data-protection rules if Europe adopts new laws
EU moves toward 72-hour breach disclosure notices, raising max fine to $2.2 million
By Rodika Tollefson, ThirdCertainty
While Americans highly value their freedom from government intrusions and their freedom of speech, Europeans see privacy as their basic human right. Which is why many European nations have the strictest privacy protection laws anywhere.
By the end of the year, those laws may get even tougher.
In June, after three years of negotiations, the Council of the European Union has agreed on a general approach to its 28 member countries’ general data protection regulations, or GDPR. The agreement clears a major hurdle and paves the way for negotiations with the European Parliament.
One of the most contentious aspects of the GDPR includes the so-called “right to be forgotten,” a 72-hour requirement for disclosing certain breaches to the proper authority, and maximum penalties of 1 million euros (about $2.2 million) or 2 percent of “global annual turnover” for failing to do so.
The GDPR would apply to any company doing business in the EU regardless of its physical location or presence and regardless of whether any money is exchanged during a transaction that involves data collection.
For companies, the good news is that the GDPR unifies data protection across the European Union, as well as allows them to deal with one data authority.
“In some cases, it will make our job a little easier due to the fact that there will be the same standards—it will dispel some of the complexity,” says Jeff Schilling, chief security officer for FireHost, which provides secure cloud hosting to companies around the globe.
There also may be an advantage for companies from a data-security perspective. He says bad actors “will go to the path of least resistance.” When dealing with multiple rules across the European bloc, that could mean targeting a company through a country that has the lowest standards.
“When you have global, multinational companies, you’re only as secure as your weakest link,” he says. “That’s a good reason to get consistency and up the game.”
Tougher standards, enforcement
There is no doubt in some security experts’ minds that the GDPR is aimed at major global players.
Google, for example, is notorious for getting in trouble in Europe. In one case a couple of years ago, it was found guilty of violating data collection laws (through its Street View mapping service) in Germany.
Germany is considered to have Europe’s tightest data privacy laws. The country’s fine against Google? $195,000.
“At the end of the day, it was a bit of a hollow victory for regulators,” says Jason Straight, chief privacy officer at UnitedLex, a global leader in legal services outsourcing. “If you’re not going to impose steep fines (on major players), you’re not going to have an impact.”
Paul Keane, European operations manager for IDT911, says the penalties would be proportionate to the breach. (IDT911 is an identity theft protection company that sponsors Third Certainty.)
“Maximum fines are only to be considered for the most serious and blatant of breaches and are likely to be quite rare,” he says.
The breach-notification requirement may be the toughest to swallow.
The proposal states that as soon as the controller (the entity controlling the data) becomes aware of a personal data breach that “may result in physical, material or moral damage,” it must notify the proper authorities “without undue delay and, where feasible, within 72 hours.”
Straight, who has worked on many data breach events, says compliance might be difficult.
“You almost never understand the full scope of an incident with any accuracy within 72 hours,” he says. “It’s going to lead to a situation where companies are relaying information that later turns out to be inaccurate, and then you have credibility issues.”
Schilling, a retired U.S. Army colonel who’s worked on cybersecurity operations, says it could take weeks for a forensics investigation.
“In a lot of cases what you’ll get is … all the indication that capabilities were there for the threat actors to exfiltrate data, but there’s no conclusive evidence that they actually did it,” he says. “How do you articulate that in regulations?”
U.S. companies need to be ready
Some of the provisions, like an individual’s access to and control of personal data, are similar to a proposed discussion of data privacy issues by the White House earlier this year. But the EU’s example is not likely to put any pressure on the U.S. Congress—U.S. data regulations are facing an uphill battle.
Part of that is cultural, Straight speculates. Many European bloc countries, he says, are all too familiar with what happens when a state abuses its access to private information. The former Soviet Union comes to mind.
“The concept that privacy is a fundamental right is much stronger in Europe,” he says. “I do not think what’s happening in the European Union will wash up on our shores.”
He says some companies will attempt to set universal policies around the globe.
“But some of those requirements, like the right to be forgotten, will impose a fair amount of costs on those companies,” he says. “I’d be surprised if they willingly gave this protection to people they’re not required to.”
Although the GDPR may not be in full effect for a few years, Keane says American companies need to start paying attention now.
“Overseas companies operating within the EU or processing EU citizens’ information need to start looking now at adjusting and complying to what is proposed,” he says.