As major cyber events are reported in the media, organizations face an increasing urgency to understand their exposures. What is equally urgent, is the need to understand and comply with emerging regulations on data protection. Regulatory authorities around the world are seeking to enhance transparency and accountability for data breaches as the impact of cyber events continues to generate headlines. Regulators are imposing stricter rules requiring disclosure of data breaches, instituting larger penalties for violating data privacy laws, and increasingly using regulation as a means to drive public policies. Simply put, the as the risk of cyber threats becomes increasingly global, the corresponding regulatory environment is increasingly convergent. The JLT Cyber Risk Consortium, an initiative of JLT, has compiled a global overview of regulation relating to cyber events.
Despite event-driven complaints from consumers and government leaders, regulation of privacy, data and network security/infrastructure in the United States is quite broad and robust at both the federal and state levels. A prime example that has drawn widespread attention and congressional testimony recently is the massive data breach at credit reporting agency Equifax.
The breach at Equifax exposed the personal records of nearly 146 million Americans. The company’s recently retired chief executive, testifying at a congressional hearing, blamed the breach on a technology failure as well as a single employee who did not implement a software patch. Rep. Greg Walden, R-Oregon, posed a question at the hearing that surely is on the minds of many legislators: “How does this happen when so much is at stake? I don’t think we can pass a law that, excuse me for saying this, fixes stupid. I can’t fix stupid.” Rep. Joe Barton, R-Texas, went further, calling for new federal laws to “put some teeth” into penalties for data breaches.
Despite Rep. Barton’s comments, numerous federal agencies already assert some jurisdiction over data privacy and network security for the entities and industries they regulate. These agencies include, notably: the Federal Trade Commission, the Consumer Financial Protection Bureau, the Federal Communications Commission, the Department of Health and Human Services (for medical and health care data), the Department of Education, the Securities and Exchange Commission and various financial services agencies.
In addition, almost every state has notification laws or other regulations dealing with consumer information and data breach and an increasing number of states are implementing laws governing industry classes who are licensed by that state. Perhaps the most far reaching of these is the New York State Department of Financial Services (DFS) set of regulations for banks, insurers and other financial institutions. These rules call for the implementation of cyber security measures -- such as enhanced encryption of data and improved multi-factor authentication – and the annual certification of complance by senior management, among other guidance. As a center of financial services, New York’s regulations are expected to serve as templates for state regulatory agencies around the country. Finally, supplementing state laws are 50 state attorneys general – many of whom are active in pursuing enforcement actions against entities following privacy or cyber security incidents.
Over the past ten years there have been many efforts to enact federal legislation around data breach laws. Many believe that a national law with respect to notice would provide uniformity to companies and stronger protections for consumers, but a federal notice law has yet to pass. Perhaps the Equifax breach will provoke enough voter outrage to push legislators to act, but history suggests that this latest “massive” breach will fade quickly and while it is possible that credit rating agencies will become more heavily regulated on this issue, comprehensive legislation is unlikely.
A new Data Protection Act is set to replace the United Kingdom’s existing 1998 legislation of the same name. A draft bill published in September is making its way through Parliament. The draft legislation includes the main elements of the General Data Protection Regulation introduced in the European Union (see below) as well as higher penalties and mandatory notification requirements in the event of a data breach. The GDPR will apply in the UK beginning in May 2018, until the UK’s planned exit from the EU in 2019. The fact that the draft Data Protection Bill retains provisions of the GDPR suggests that UK authorities intend to achieve regulatory equivalence on cyber issues.
EU member nations are taking steps to clarify the administration of the General Data Protection Regulation, which takes effect May 25, 2018, with no requirement to be passed into national law. Regulators and government organizations generally view the GDPR as an opportunity to improve cyber security. The GDPR will impose a set of data protection requirements, mandate regulatory and consumer notification of significant breaches, and provide for steep penalties. For serious breaches, organizations can face fines up to 4% of their global annual turnover or 20 million euros, whichever is greater.
In July, Germany updated its data protection laws to stiffen penalties and address how the GDPR will apply to German companies. Notably, Germany introduced a new criminal offense on the transfer or release of personal data for commercial purposes.
Austria passed its Data Privacy Act in July. Austria has not deviated in any significant way from the provisions in the GDPR.
France, in implementing the GDPR, will shift from its current process of registrations and filings with the country’s data protection authority to a regime based on transparency and accountability.
Australian organizations have more stringent cyber regulations, thanks to the GDPR and the February passage of The Privacy Amendment (Notifiable Data Breaches) Act 2017, which mandates reporting of data breaches by organizations that are regulated under the Privacy Act 1988. The new legislation, which is set to take effect February 22, 2018, will apply to businesses and non-profit organizations with annual revenue of $3 million Australian or more, as well as other organizations including but no limited to the private health care sector.
The legislation requires businesses to report any “eligible” data breach to the Office of Australian Information Commissioner and notify individuals who may have been affected. The law defines an eligible breach as a malicious or accidental release or loss of personal information, in hard or soft form, that is unauthorized and that a reasonable person would conclude is likely to cause serious harm. Organizations that suspect an eligible data breach must conduct an assessment within 30 days to determine whether a breach has occurred and whether notification is required.
The legislation also gives the Commissioner broad powers to compel an organization to make notifications, issue public apologies or pay compensation. The commissioner also may impose a fine of up to AUD $360,000 for individuals and AUD $1.8 million for organizations that do not comply with the law.
Regulators around the world are monitoring cyber events, particularly data breaches, and are not just issuing public criticisms. They are taking steps to increase regulation and penalties for non-compliance. Organizations must expand their focus to improve cyber security and cyber risk management while also ensuring compliance with regulatory requirements, wherever they do business.