Why new European privacy laws matter to US CIOs and CISOs

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.fiercecio.com/story/industry-insider-why-new-european-privacy-laws-matter-us-cios-and-cisos/2015-07-13

Based on recent developments, Europe seems poised to finalize the terms of
the EU General Data Protection Regulation by the end of the year.

These negotiations between the European Commission, European Parliament,
and European Council are slated to introduce new EU-wide privacy laws which
will have a significant impact on European businesses and IT professionals.

There's no doubt the new regulation will also have an impact on U.S. IT
departments – yes, U.S. IT departments.

The GDPR is unique because it applies to businesses outside the EU that
process personal data collected through offering services or goods to
citizens in the EU. This regulation will apply to any and all businesses
that collect personal data from its EU customers.

Even organizations with no offices based in the EU can be investigated,
fined and even prosecuted under the upcoming regulation.

So what do you need to know about the European privacy law as a U.S. IT
leader or IT security head?

Reporting a breach

The GDPR not only imposes requirements to implement appropriate security
measures, but also makes it a mandatory requirement to report a data breach
to the relevant data protection authorities.

Aside from the increased sanctions faced in the wake of a breach, there are
various other ways in which security professionals will be affected by the
new regulations.

For example, the regulation states that "if feasible" companies should
report a data breach within 24 hours of detection. It also states that
where a data breach has occurred, the organization has to notify all those
affected unless it can prove that data is unreadable by anyone not
authorized to access it.

Increased penalties

The regulation will also see an increase in fines. Implementing a
comprehensive data-protection policy may seem like a huge cost for an
organization of any size. However, the cost of failing to do so could be
devastating.

The new legislation will introduce fines exceeding $100 million or two
percent of annual global turnover. Fines of this nature would be far larger
than the cost of implementing a robust data security policy. The loss of
reputation and customer trust can be just as devastating (if not more so),
than a monetary fine.

Moving Forward

With the proposed regulation expected to be adopted by the end of the year,
businesses should start to consider the impact and what steps they must
take to deal with these new requirements.

This means having the right technology: a layered security defense that
includes encryption, anti-malware, and endpoint security. It also means
conducting regular, thorough security audits on the health of your data
security.

Finally, it's important that your staff be aware of what is expected in the
event of a breach and the associated risks. Promoting internal awareness
should be regularly conducted across the organization.

Overall, the EU GDPR will spur U.S. organizations to better protect against
and manage data breaches when they occur. As a result, the more that can be
done now to train employees, put guidelines in place and ensure the
appropriate tech-based protection is implemented, the better off U.S.
businesses will be in the long run.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!