There is a myriad of laws around the world pertaining to privacy and data protection. For a multinational company, following the strictest regulations may be the best bet, especially since laws are becoming increasingly rigorous.
In the US, compliance with Payment Card Industry Data Security Standard (PCI DSS) is not required by federal law. However, the laws of some U.S. states either refer to PCI DSS directly or make equivalent provisions. The PCI DSS applies to any organization, regardless of size or number of transactions, that accepts, transmits, or stores cardholder data.
A bank can be charged $5,000 to $100,000 per month for PCI compliance violations. The bank normally passes this fine along to the merchant. More than likely, the bank will either terminate the relationship with the merchant or increase transaction fees.
Until late 2015, US-based companies could collect data from users in the EU if they were certified under the Safe Harbor program. This has been replaced by the EU-US Privacy Shield effective July 2016. In 2018, this framework will be replaced by the GPDR, which will apply to all foreign companies that process EU residents’ data. Some of the major provisions of the GPDR are:
A firm with over 250 employees must appoint a Data Protection Officer (DPO). The DPO will ensure that there are procedures in place to handle data subject and data deletion requests, and that these procedures are followed.
A serious breach could result in a minimum fine of €250,000, and up to €1,000,000 or 2% of global turnover. Data breaches must be disclosed within 72 hours.
Data disposal laws of various kinds have been enacted in 31 of the US states. Data privacy laws include the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for healthcare devices and the Children's Online Privacy Protection Act if the user is under 13. Look for legislation requiring all healthcare apps on any platform to be HIPAA compliant in the foreseeable future.
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) sets rules for protection of collected personal data. In addition, Alberta, British Columbia and Quebec have created their own privacy laws. Every province has enacted differing laws concerning personal health information.
Australia, New Zealand, Singapore and Japan have data privacy laws similar to those presently in effect in the EU. Most other countries have less rigorous data protection legislation, if any.
IoT devices are constantly collecting data. How much of that data is considered personal? For example, does the amount of electricity used in a home constitute data to be protected? Existing law has not kept pace with the issues introduced by IoT. It is even unclear who is liable when an IoT device malfunctions and causes personal or property damage.
In the US, 47 states have security breach notification laws, many of which require reports to customers as well as regulators. In Canada, by contrast, only the province of Alberta requires notification. With the General Data Protection Regulation (GDPR) taking effect in 2018, companies operating in Europe will be required to report cyber breaches to national authorities within 72 hours and, if there is a significant risk of harm, companies would need to report the breaches to affected individuals.
The head of a UK industry insurance organisation has called for the government to create a database to record details of all cyber attacks, not only data breaches. The database would include company information and the type of attack as well as the damage caused and clean-up costs. Insurance companies have little data on which to base their cyber insurance policies. It is hoped that the database will resolve the issue and make policies available at a reasonable cost.
Courts are contending with more lawsuits from consumers whose personal information may have been compromised in data breaches. While courts have so far ruled that such breaches don't constitute injury for the consumer, the trend is worrisome for companies that face large legal bills even if litigation doesn't result in a court case.
In April 2016, the US Court of Appeals found that data breaches were covered under a particular commercial general liability (CGL) policy. The crux of the matter was this: the insurer had argued that there was no personal injury or publication as defined by the policy because release of the records was not intentional and they were not viewed by a third party. But the court said an unintentional publication is still publication.
This ruling has caused confusion in the marketplace. Should companies purchase a cyber policy separately, or is it covered under CGL? Insurance payments for data breaches are a recently new phenomenon, and there is very little case law to draw on. Loss estimates have come mostly from security vendors, and it is in their best interest to show large losses. The actual losses on the balance sheet do not appear for months or even years later, and often at a lower cost than first suggested.
Most insurance analysts recommend that their clients have both CGL and cyber policies. In the US, 51 per cent of businesses are covered by both compared to just 26 per cent in the UK, according to NTT Com Security. Insurance analysts caution that cyber policies should specifically cover security breaches and data loss.
It’s better to have a good defense
Security incidents are common occurrences. There is a high probability that you organisation will experience a data breach at some point. Establishing good data protection policies to minimize financial loss is crucial.
Stay compliant! Learn more about our suite of security solutions. Get a free trial or no-obligation quote to evaluate whether our solutions are right for your organization.
Sign-up for email updates...