In the context of increasing cyber attacks on major corporate organizations, small businesses and governments, data protection and cybersecurity are hot topics
In the context of increasing cyber attacks on major corporate organizations, small businesses and governments, data protection and cybersecurity are hot topics. In 2016, Yahoo spilled 1.5 billion customers’ details in two separate incidents, while telecoms companies like Talk Talk – hacked in 2015 – have not been immune from attack. In 2016, US companies and government agencies suffered a record 1,093 data breaches, a 40% increase from 2015, according to the Identity Theft Resource Center. In Europe, the Breach Level Index reported 125 data breaches, a staggering 91 of which involved organizations in the UK. Headline-grabbing hacks, with victims ranging from Wendy’s to the Democratic National Committee, are increasing despite regulatory scrutiny and more aggressive cyber-security spending. The International Data Corporation revealed that worldwide, spending on security- related hardware, software, and services rose to $73.7 billion in 2016 from $68.2 billion the year before. A recent survey by the Information Commissioner’s Office found that 75% of customers don’t trust companies with their personal information.
Data privacy laws and legislative efforts to secure data from different industries are in the news these days for a variety of reasons and in a variety of countries. For example, the government officials from the EU and the US are currently engaged in a heated debate about the privacy of data that crosses national borders. The Privacy Shield is a new arrangement intended to maintain transatlantic data flows by assuring Europeans that their privacy rights will be upheld when their data is transferred to the US (for example, when Europeans do business with American companies). An even more stringent EU data protection regulation, the General Data Protection Regulation (GDPR) will come into effect in May 2018 following a two-year post- adoption grace period.
With the adoption of the GDPR, it’s clear that protecting personal information and consumer integrity has become a high priority for the EU. Every citizen will have the right to know how their personal data is being used. A company that does not comply with the GDPR may be fined up to €20 million or four percent of their global annual turnover. Another challenge posed by these debates and developments is to fully understand the way that data privacy and its legal protections are handled in different jurisdictions. The issue is particularly acute in the US because the level of data privacy protections varies from state to state and there is no over-arching federal data protection legislation.
Since most of the 50 states have some privacy statues of their own, one can interpret the US’s approach in a way that relies more on state-level and industry- specific legislation, whilst the EU relies on comprehensive privacy legislation. As a result companies that provide solutions on data breaches would be wise to keep an eye on the GDPR as it makes its way through the EU’s legislative process, while in the US private companies must take it upon themselves to introduce a data breach response plan through cyber testing because it is challenging to compromise between the federal and state level.