More and more, regulators are focusing their rulemaking power not just on how a company responds (or doesn’t respond) to a data breach, but the steps it took far in advance to prevent or mitigate such a breach.
Two new sets of regulations — the European Union’s General Data Protection Regulation (EU GDPR) and a stringent new cybersecurity regulation from the New York Department of Financial Services — fall into this breach mitigation category, and are catching the eye of all companies that collect, store or process customer data.
General Data Protection Regulation (EU GDPR)
The EU GDPR looms large for any firms or companies that handle the data of European customers. The measure, which goes into effect on May 25, 2018, will apply to any entity that captures or processes the data of EU data subjects — even if in relation to a free good or service.
This will be an entirely new area of risk for many U.S.-based entities, one that imposes significat accountability requirements and carries the threat of serious fines — up to €20 million or four percent of global turnover for the preceding financial year, whichever is greater.
One key element of the EU GDPR is the requirement, in certain circumstances, for firms to designate a data protection officer (DPO). This position, which must be in place by the law’s effective date, can be either an employee with a significant level of expertise or a contractor. Some in the industry are already worrying about the limited talent pool for this key position, and the importance of early recruitment so the DPO can guide an organization through preparations for the GDPR’s quickly approaching effective date.
New York cyber regulation for banks, insurers
New York’s new regulatory scheme becomes effective in just a few weeks, March 1, 2017, and applies to any banks, insurers and financial institutions regulated by the state’s Department of Financial Services.
This first-of-its-kind regulation requires affected companies and firms to create and maintain a detailed cybersecurity policy and program. The requirements of that program match many of the standard elements for any well-established private cybersecurity policy, such as implementing penetrative testing and vulnerability assessments, providing personnel training, and limiting access privileges. But this is the first time a state agency has required a written cybersecurity protocol from such a wide range of entities.
For more information, please contact one of the attorneys in the Firm's Cybersecurity group.