U.S. companies could see tighter data-protection rules if Europe adopts new laws

EU moves toward 72-hour breach disclosure notices, raising max fine to $2.2 million

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

While Amer­i­cans high­ly val­ue their free­dom from gov­ern­ment intru­sions and their free­dom of speech, Euro­peans see pri­va­cy as their basic human right. Which is why many Euro­pean nations have the strictest pri­va­cy pro­tec­tion laws any­where.

By the end of the year, those laws may get even tougher.

In June, after three years of nego­ti­a­tions, the Coun­cil of the Euro­pean Union has agreed on a gen­er­al approach to its 28 mem­ber coun­tries’ gen­er­al data pro­tec­tion reg­u­la­tions, or GDPR. The agree­ment clears a major hur­dle and paves the way for nego­ti­a­tions with the Euro­pean Par­lia­ment.

One of the most con­tentious aspects of the GDPR includes the so-called “right to be for­got­ten,” a 72-hour require­ment for dis­clos­ing cer­tain breach­es to the prop­er author­i­ty, and max­i­mum penal­ties of 1 mil­lion euros (about $2.2 mil­lion) or 2 per­cent of “glob­al annu­al turnover” for fail­ing to do so.

The GDPR would apply to any com­pa­ny doing busi­ness in the EU regard­less of its phys­i­cal loca­tion or pres­ence and regard­less of whether any mon­ey is exchanged dur­ing a trans­ac­tion that involves data col­lec­tion.

For com­pa­nies, the good news is that the GDPR uni­fies data pro­tec­tion across the Euro­pean Union, as well as allows them to deal with one data author­i­ty.

In some cas­es, it will make our job a lit­tle eas­i­er due to the fact that there will be the same standards—it will dis­pel some of the com­plex­i­ty,” says Jeff Schilling, chief secu­ri­ty offi­cer for Fire­Host, which pro­vides secure cloud host­ing to com­pa­nies around the globe.

There also may be an advan­tage for com­pa­nies from a data-secu­ri­ty per­spec­tive. He says bad actors “will go to the path of least resis­tance.” When deal­ing with mul­ti­ple rules across the Euro­pean bloc, that could mean tar­get­ing a com­pa­ny through a coun­try that has the low­est stan­dards.

When you have glob­al, multi­na­tion­al com­pa­nies, you’re only as secure as your weak­est link,” he says. “That’s a good rea­son to get con­sis­ten­cy and up the game.”

Tougher stan­dards, enforce­ment

There is no doubt in some secu­ri­ty experts’ minds that the GDPR is aimed at major glob­al play­ers.

Google, for exam­ple, is noto­ri­ous for get­ting in trou­ble in Europe. In one case a cou­ple of years ago, it was found guilty of vio­lat­ing data col­lec­tion laws (through its Street View map­ping ser­vice) in Ger­many.

Ger­many is con­sid­ered to have Europe’s tight­est data pri­va­cy laws. The country’s fine against Google? $195,000.

At the end of the day, it was a bit of a hol­low vic­to­ry for reg­u­la­tors,” says Jason Straight, chief pri­va­cy offi­cer at Unit­edLex, a glob­al leader in legal ser­vices out­sourc­ing. “If you’re not going to impose steep fines (on major play­ers), you’re not going to have an impact.”

Paul Keane, Euro­pean oper­a­tions man­ag­er for IDT911, says the penal­ties would be pro­por­tion­ate to the breach. (IDT911 is an iden­ti­ty theft pro­tec­tion com­pa­ny that spon­sors Third Cer­tain­ty.)

Max­i­mum fines are only to be con­sid­ered for the most seri­ous and bla­tant of breach­es and are like­ly to be quite rare,” he says.

Unre­al­is­tic rule

The breach-noti­fi­ca­tion require­ment may be the tough­est to swal­low.

The pro­pos­al states that as soon as the con­troller (the enti­ty con­trol­ling the data) becomes aware of a per­son­al data breach that “may result in phys­i­cal, mate­r­i­al or moral dam­age,” it must noti­fy the prop­er author­i­ties “with­out undue delay and, where fea­si­ble, with­in 72 hours.”

Straight, who has worked on many data breach events, says com­pli­ance might be dif­fi­cult.

You almost nev­er under­stand the full scope of an inci­dent with any accu­ra­cy with­in 72 hours,” he says. “It’s going to lead to a sit­u­a­tion where com­pa­nies are relay­ing infor­ma­tion that lat­er turns out to be inac­cu­rate, and then you have cred­i­bil­i­ty issues.”

Schilling, a retired U.S. Army colonel who’s worked on cyber­se­cu­ri­ty oper­a­tions, says it could take weeks for a foren­sics inves­ti­ga­tion.

In a lot of cas­es what you’ll get is … all the indi­ca­tion that capa­bil­i­ties were there for the threat actors to exfil­trate data, but there’s no con­clu­sive evi­dence that they actu­al­ly did it,” he says. “How do you artic­u­late that in reg­u­la­tions?”

U.S. com­pa­nies need to be ready

Some of the pro­vi­sions, like an individual’s access to and con­trol of per­son­al data, are sim­i­lar to a pro­posed dis­cus­sion of data pri­va­cy issues by the White House ear­li­er this year. But the EU’s exam­ple is not like­ly to put any pres­sure on the U.S. Congress—U.S. data reg­u­la­tions are fac­ing an uphill bat­tle.

Part of that is cul­tur­al, Straight spec­u­lates. Many Euro­pean bloc coun­tries, he says, are all too famil­iar with what hap­pens when a state abus­es its access to pri­vate infor­ma­tion. The for­mer Sovi­et Union comes to mind.

The con­cept that pri­va­cy is a fun­da­men­tal right is much stronger in Europe,” he says. “I do not think what’s hap­pen­ing in the Euro­pean Union will wash up on our shores.”

He says some com­pa­nies will attempt to set uni­ver­sal poli­cies around the globe.

But some of those require­ments, like the right to be for­got­ten, will impose a fair amount of costs on those com­pa­nies,” he says. “I’d be sur­prised if they will­ing­ly gave this pro­tec­tion to peo­ple they’re not required to.”

Although the GDPR may not be in full effect for a few years, Keane says Amer­i­can com­pa­nies need to start pay­ing atten­tion now.

Over­seas com­pa­nies oper­at­ing with­in the EU or pro­cess­ing EU cit­i­zens’ infor­ma­tion need to start look­ing now at adjust­ing and com­ply­ing to what is pro­posed,” he says.

More on pri­va­cy:
Cana­da puts teeth into dig­i­tal pri­va­cy law
Super­zoom cam­era is amaz­ing, but puts new lens on pri­va­cy
OPM breach lends urgency for new laws to pro­tect indi­vid­ual pri­va­cy

 


Posted in Data Privacy, Data Security, News & Analysis