Most businesses have heard vaguely about the impending GDPR that is set to go into effect in May of next year. It is designed to standardize European data privacy laws and ensure EU citizens’ data privacy rights and is based on the idea that privacy is a fundamental right of the individual and not something to be bought and sold by corporations.
Uhm, memo to Equifax … and TransUnion and Experion.
Many U.S.-based organizations believe the new GDPR regulation applies only to organizations based in the EU. That is not correct. The GDPR applies to all organizations that offer goods or services to, or monitor the behavior of, any and all EU data subjects, regardless of the company’s location.
This translates to the simple fact that if a company offers goods or services to or processes data of EU citizens, it will be subject to the regulation. The only questions are whether the law will apply to U.S. businesses who inadvertently and/or unknowingly serve EU residents and whether it can be enforced.
I believe the answer to both is a function of which entities the GDPR folks will bother pursuing. They will certainly choose violators who showcase the essence of the law as examples of why even small violations will be punished to the letter as well as partner with U.S. agencies like the FTC to demonstrate that they are serious about pursuing violations.
The EU right to access policy defined by the GDPR affords data subjects the ability to determine whether a data controller has their personal data, why it has their data, and what the data processor will do with their data. The scope of “personal data” is broader than many businesses outside the EU may realize. It includes “…any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person.”
That means any organization that holds or processes any personal identifiers, including credit card data must be ready to accept and address requests for access and discover that they fall under the regulation as well.
After the uproar fittingly caused by the Equifax breach, it should be a surprise to no one that our own federal and state governments will be initiating regulations over Cybersecurity and Privacy in short order that will look a lot like the recently imposed NYDFS statute, so in my mind, the real question is why would an organization or business not move immediately toward assuring that will be in compliance when the time comes?
If it needs a cost/benefit analysis, your risk team needs to look no further than the Hilton fines of last month or the Equifax litigation costs, or the LifeLock costs to name just three. The $700,000 fine slapped on Hilton by the NY AG is a palatable $2 per lost record. Against their $11.2 billion in 2015 revenue, the year of the breach, the $700,000 fine was just %.00006 of Hilton’s annual revenue at that time. Why is this important?
Under that new GDPR regulation, data “controllers” like Hilton (in other words: organizations that collect data on customers or employees) can be fined up to 4% of annual turnover in the year preceding the incident for failing to adequately protect that customer data. Hilton’s FY 2014 revenue (or “turnover” during the preceding year) was $10.5 billion and 4% of that number is a cool $420 million dollars or $1,200 for every customer record lost.
If that doesn’t get your shareholders and board’s attention, then sadly perhaps nothing will.
The bottom line is that failure to comply with the GDPR could be very costly. And, it is only a harbinger of things to come. Whether future regulations come down through multiple bodies like the Department of Health and Human Services (HHS) in the Office of Civil Rights (OCR) for HIPAA today or FINRA, the SEC or the CFPB for GLBA, congress must pass Cybersecurity regulations urgently and by 2018, we will likely see statutes in every state.
The cost to comply probably falls well within the cost of a single headcount, so I am always perplexed as to why any company would take the risk. It isn’t just your IP or your customer information that you need to protect. It is also the emails and memorandum written by your key executives that can be easily stolen and held for ransom.
It doesn’t happen overnight either. You can’t just flick a switch and implement all of the components of a minimally passable Cybersecurity plan, policy, process and technology. Why wait until the calendar forces you to act? Or worse yet, after you have been breached?
Remember, we didn’t ask the government to step in and regulated us, we earned it by failing to regulate ourselves.
This is a Security Bloggers Network syndicated blog post authored by Steve King. Read the original post at: News and Views – Netswitch Technology Management