New Law Could Lead To Fines For Cloud Service Data Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.misco.co.uk/blog/news/02196/new-law-could-lead-to-fines-for-cloud-service-data-breaches

The majority of cloud service providers could come unstuck over the
requirements of the new EU General Data Protection Regulation, which will
replace the EU Data Protection Directive that was adopted in 1995.

The new directive aims to modernise earlier regulations in line with the
needs of the internet and cloud era - when companies manage enormous
amounts of data ranging from names, email addresses and phone numbers to
computer IP addresses.

When it is implemented, data controllers (who own the data) and data
processors (such as cloud providers and data centre hosting companies) will
share liability for any data breaches and violations of the law.

While the previous law had no penalties, this new regulation will impose
hefty fines on service providers who fail to meet its requirements - up to
5% of a company's annual revenue or up to €100 million (over £79 million),
whichever is higher.

But only one in 100 cloud service providers will be ready for the
regulations, says security provider Skyhigh Networks. In a study of over
7,000 cloud services suppliers, only 1 in 100 met the criteria expected to
be contained in the new regulations.

Particular areas of concern are individuals' right to request deletion of
data identifying them; and the requirement to notify EU regulatory
authorities within 24 hours of a data breach, even if the breach occurs in
a third party cloud service. There are also issues with current
legislation, which requires an organisation to take steps to protect
personal information.

The study shows that cloud services providers still have work to do if they
are to remain on the right side of the law - and avoid huge fines when the
legislation comes into force.

The directive is likely to be passed this year and implemented in 2015 and
will affect organisations which are based in Europe, run operations in
Europe, or which simply handle the data of EU residents.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!