One year after the European Union’s General Data Protection Regulation (GDPR) came into effect, the UK Information Commissioner’s Office received around 14,000 personal data breach reports, up from 3,300 reports during the previous year.
While the GDPR was born in the EU, it’s also the strongest data protection regime worldwide and has extra-territorial reach that applies strict regulation on any company offering goods or services to EU residents or monitoring the activities of EU residents. That means US businesses have had to stay vigilant about the GDPR and its potential impacts on their operations.
“When GDPR entered the scene last May, it gave companies pause. They had to think about, do we as an organization come under the GDPR for anything – for any of the compliance security and data protection purposes or for data breach purposes,” said Katherine Keefe (pictured, above), head of Beazley’s Breach Response Services Group (BBR Services). “Lo and behold, a number of companies went through that analysis in the run up to GDPR and discovered that because of either the business model or the data that they maintained, that there are certain provisions of GDPR that do apply to them.”
Some EU internet users might have noticed that starting on May 25, 2018, they couldn’t gain access to certain websites since businesses had installed geo-blockers so people outside of the US couldn’t surf non-compliant sites. Nonetheless, it’s still up in the air as to how US companies will be dealt with under the regulation.
“Other than the huge technology companies, who have already come under fire by some of the European regulators, it remains to be seen how regulators are going to be looking at compliance or non-compliance with GDPR,” said Keefe. “If a US-based middle market company were to somehow gain the attention of a European regulator, either by reporting a breach or for some other complaint filed by an EU citizen or EU data subject, and an investigation were to ensue, I would think that as the regulators mature in their understanding of the law and the requirements, that they would look at a US-based company’s efforts – are they reasonable efforts, were they diligent efforts, or was there total disregard?”
One of the challenges in complying with GDPR has been the fact that it’s not specific in terms of what businesses need to do.
“It’s essentially a law that says you will protect personal or sensitive information, and, if you don’t, here are the penalties that could be inflicted upon you after an investigation and a report to supervisory authority,” said Ian Thornton-Trump (pictured below), head of cybersecurity at AmTrust International. “It’s not specific as to what technological controls are required, so a business at first panics because it’s like driving down a road without a speedometer on your car and being accused of going too fast or even going too slow and holding up traffic.”
Meanwhile, states in the US are putting out their own versions of privacy legislation, absent of federal leadership on the topic, such as California’s Consumer Privacy Act (CCPA), which was signed into law in 2018 and takes effect on January 01, 2020.
“In terms of privacy, there are very few precedents in American law that we can point at and say, this is a guideline or a test case,” said Thornton-Trump, adding that privacy legislation in the country is a “nasty hodgepodge,” with California implementing some of the more aggressive legislation and other states having very little regulation with regards to data privacy.
However, US companies should already be implementing risk management today to ensure compliance with GDPR, CCPA, and potentially other legislation coming down the pipe.
“Pay very careful attention and engage with your legal counsel, and engage with the experts in the field,” explained Thornton-Trump. “You need to really understand the type of data that you have, so start with a data inventory, draw pictures about where this data goes, how it’s processed, how it’s stored, how it’s protected. That’ll put you in a great position for when the actual rules of the road come down, and you can make sure you’re on the right side of the needle.”
The importance of cyber insurance likewise needs to be communicated by the agents and brokers who are on the frontlines dealing with businesses about their risks.
“We need to be very clear about what cyber liability insurance can cover, what it can’t cover, and how it works in conjunction with other security controls and regulatory frameworks,” said Thornton-Trump. “I’m a big fan of minimum cyber hygiene standards applied to cyber liability insurance. Just like if your car is not roadworthy, and you neglect to change the brakes or put on new tires, and you drive it down the road and you get into an accident, your insurance company will quite rightly question why didn’t you do this maintenance.
“That’s the relationship that we need to get in – that just simply selling someone a product is not good enough. I think educating them about how that product works and how it provides risk mitigation in conjunction with standards and best practices is really the key going forward.”