The General Data Protection Regulation (GDPR) is a European Union (EU) data protection law that applies to all individuals living in the EU and European Economic Area (EEA) but has big implications for U.S. companies doing business around the globe. The law aims to put EU residents in control of their personal data. It regulates how their data is collected, processed, stored, deleted, transferred and used. U.S. companies doing business in the EU and EEA had to comply with the regulation by May of this year or face stiff fines of up to 4 percent of annual global revenue or $20 million, whichever is higher. But many companies are struggling to reach the level of compliance required.
This law has implications for nearly every global industry like healthcare, legal, finance, insurance, and consulting. When it comes to targeting industries, finance has a bullseye on its back. Because of this, financial organizations have processes and technologies in place to detect and respond to any breaches, thanks to industry regulations like FINRA.
GDPR regulations bring a huge shift for US businesses in terms of post-breach notification requirements, potential issues with the insurability of GDPR fines, and the regulation of equal liability on data owners and data processors.
Data breaches and cyber attacks are the new normal and the risks are becoming more mainstream, massive attacks being reported daily, and all of the breaches usually include personal data.
The United States doesn’t have a federal law like the GDPR, but some states are putting similar regulations in place. New York’s is called the Department of Financial Services cybersecurity regulation (23 NYCRR part 500) and became law in March 2017. This law protects citizens and consumers by forcing businesses to have secure cyber systems in place to safeguard the confidentiality and availability of identification and financial information. If their system is breached, they need to be able to detect a breach and respond to it immediately to mitigate the breach. They also must report the event and begin a cyber audit to identify how the breach occurred.
IT departments around the globe were scurrying to meet the May 2018 GDPR deadline but many U.S. businesses remain non-compliant and have purchased cyber insurance to rely in case of a breach. Cyber insurance can help cushion the cost of a breach, including secondary costs like the expense of containing, communicating, investigating and remediating the hack. However, many insurance policies don’t cover fines from non-compliance to the GDPR principles. That why multiple layers of defense are needed. Such layers could include technical and organizational controls that protect the integrity and confidentiality of EU personal data.
To be compliant, some businesses will:
- Discover and classify all personal data
- Create a plan to close all identified protection control gaps
- Encrypt all personal EU data
- Develop a processing policy
- Partner with third-parties that process personal EU data on its behalf
- Produce a process to test the effectiveness of data protection control
- Enhance security controls: monitor, detect, respond and report all policy violations and external threats.
Adhering to compliance and standards-based framework can help businesses attract and retain more customers. By building trust with consumers, businesses can differentiate and grow in an ever more competitive global market.
If you have questions about this article or cyber insurance, contact a cyber insurance expert at The Plexus Groupe at 847-307-6100.