Cybersecurity - the good, the bad and the ugly
European data protection rules put unfeasible time pressures on companies, writes Paul Luehr
Like a tale from the golden era of Hollywood westerns, implementing Europe’s General Data Protection Regulation (GDPR) directive promises to be an adventure, especially as it relates to cybersecurity.
From the perspective of Americans who have pursued data breaches for years, Europe’s updated rules - scheduled for implementation in a year’s time - offer a mix of refreshing uniformity (the good), unworkable timelines (the bad) and daunting fines compounded by ambiguity (the ugly).
Americans grumble that the EU has deemed US data protections “inadequate”, even though we have reported data breaches for more than a decade under various state laws. But we grudgingly admit that the EU pulled off what we could not – a uniform regulation that will apply across multiple jurisdictions. In the US, companies still pay dearly to wrangle with federal statutes in specific sectors - notably the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act in the in the healthcare and financial services sectors - as well as 48 state laws, New Mexico being the latest to join the herd.
While Europe’s regulations avoid some US pitfalls, others are worsened. Many US states have raced to tighten notification timelines, moving from “the most expedient time possible” to 30-45 days, then 14 days for preliminary notices in Vermont.
Now the EU has joined the stampede, requiring data controllers to notify regulators within 72 hours of becoming aware of a breach “where feasible”. In reality, investigators have barely finished copying hard drives from hacked servers within 72 hours, and the Ponemon Institute, a privacy and data protection research body, has found that it takes 70 days to investigate and contain the average breach.
How then can companies provide such quick notice, as well as the requested information about the number of people or records affected?
Any investigation will be complicated by the European regulations’ broad definition of “personal data” as “any information relating to an identified or identifiable natural person”, as well as undefined phrases such as the “high risk to the rights and freedoms” of individuals. Yet the ugly truth remains: penalties for non-compliance could reach €10 million or 2 per cent of global turnover for those companies that seriously mishandle a breach.
Fortunately, companies can write part of their own script under Europe’s regime. The regulation requires companies to adopt “appropriate technical and organisational measures” and regularly evaluate those measures. Therefore, companies must adopt robust cybersecurity frameworks, incident response and generally test security. Doing so will help prepare clients for Europe’s new regime, but they still should be prepared for a wild ride.
Paul Luehr is a partner at the Minneapolis head office of the US law firm Faegre Baker Daniels