BreachExchange mailing list archives
Why new European privacy laws matter to US CIOs and CISOs
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 13 Jul 2015 18:22:17 -0600
http://www.fiercecio.com/story/industry-insider-why-new-european-privacy-laws-matter-us-cios-and-cisos/2015-07-13 Based on recent developments, Europe seems poised to finalize the terms of the EU General Data Protection Regulation by the end of the year. These negotiations between the European Commission, European Parliament, and European Council are slated to introduce new EU-wide privacy laws which will have a significant impact on European businesses and IT professionals. There's no doubt the new regulation will also have an impact on U.S. IT departments – yes, U.S. IT departments. The GDPR is unique because it applies to businesses outside the EU that process personal data collected through offering services or goods to citizens in the EU. This regulation will apply to any and all businesses that collect personal data from its EU customers. Even organizations with no offices based in the EU can be investigated, fined and even prosecuted under the upcoming regulation. So what do you need to know about the European privacy law as a U.S. IT leader or IT security head? Reporting a breach The GDPR not only imposes requirements to implement appropriate security measures, but also makes it a mandatory requirement to report a data breach to the relevant data protection authorities. Aside from the increased sanctions faced in the wake of a breach, there are various other ways in which security professionals will be affected by the new regulations. For example, the regulation states that "if feasible" companies should report a data breach within 24 hours of detection. It also states that where a data breach has occurred, the organization has to notify all those affected unless it can prove that data is unreadable by anyone not authorized to access it. Increased penalties The regulation will also see an increase in fines. Implementing a comprehensive data-protection policy may seem like a huge cost for an organization of any size. However, the cost of failing to do so could be devastating. The new legislation will introduce fines exceeding $100 million or two percent of annual global turnover. Fines of this nature would be far larger than the cost of implementing a robust data security policy. The loss of reputation and customer trust can be just as devastating (if not more so), than a monetary fine. Moving Forward With the proposed regulation expected to be adopted by the end of the year, businesses should start to consider the impact and what steps they must take to deal with these new requirements. This means having the right technology: a layered security defense that includes encryption, anti-malware, and endpoint security. It also means conducting regular, thorough security audits on the health of your data security. Finally, it's important that your staff be aware of what is expected in the event of a breach and the associated risks. Promoting internal awareness should be regularly conducted across the organization. Overall, the EU GDPR will spur U.S. organizations to better protect against and manage data breaches when they occur. As a result, the more that can be done now to train employees, put guidelines in place and ensure the appropriate tech-based protection is implemented, the better off U.S. businesses will be in the long run.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Why new European privacy laws matter to US CIOs and CISOs Audrey McNeil (Jul 22)