Editor’s note: Randy Sabett is the vice chair of the privacy and data protection practice group at Cooley and the former commissioner of the commission on cyber security for the 44th presidency. Lindsy Solanki represents technology companies and startups as an associate in the Emerging Companies practice group at Cooley, LLP.
The finishing touches of the European Union General Data Protection Regulation (GDPR) are underway, and with it, many international companies that have data passing through the EU, house customer data of EU residents or are based in the EU are concerned about how they will fare once the new law is enacted. And they should be, as non-compliance could result in costly penalties under the proposed regulation – up to 5 percent of a company’s annual worldwide revenue or up to €100 million (~$120 million).
In addition to the heavy fines and loss in revenue, non-compliance could cause a public relations nightmare for a company – resulting in a loss of customers and business partnerships and a reduction in potential market opportunity. Non-compliance with the proposed regulation could be a drastically worse price for a business to pay than what it would cost to make the business, and its data, secure and compatible with the proposed EU regulation.
Multinational companies doing business in Europe are keen to find a streamlined way to function within the universal parameters of the proposed data protection regulation. American companies often take advantage of the U.S./EU safe harbor framework, which provides a mechanism to legitimize transfers of personal data between Europe and the U.S. This framework, though, is currently being renegotiated.
The recent barrage of security breaches across numerous industries, coupled with ongoing concerns of state-backed espionage, has spilled over into the U.S./EU safe harbor negotiations, bringing the framework’s continued existence into question. Failure for the U.S. and EU to reach a compromise on safe harbor would be a major blow to many American companies, along with the substantial amount of commerce transacted by EU stakeholders under the safe harbor.
Accordingly, as Europe moves to finalize its comprehensive data-protection framework, and as the U.S. works to reach a mutual consensus with the EU on the few remaining points of conflict that are preventing final agreement on safe harbor, it’s beneficial to consider the implications that foreign legislation has on the American security landscape.
For example, notification of security breach incidents poses substantial problems for U.S. businesses and will continue to do so as the frequency of breaches increases and American companies struggle to comply with a competing patchwork of state laws and regulations at home while facing growing pressure abroad from the EU for greater transparency.
Although the current data privacy and security landscape in the U.S. is divergent and frequently in conflict, there is a movement towards a meeting in the middle.
In some ways, the recent activity by the Obama administration could be viewed as a push toward a more EU-like approach here in the U.S. In particular, calls for greater uniformity in data security laws in the U.S. have already begun. Both companies and consumers are driving this discussion – companies are seeking greater clarity on their legal obligations and liabilities and consumers are expressing increasingly louder concerns in response to the substantial rise in the number of high-profile data breaches.
Most recently, the administration released a set of legislative proposals that includes a national 30-day breach notification requirement and a Consumer Privacy Bill of Rights. These would necessarily involve a greater level of security that would, arguably, originate with the data subject’s ownership and control of their data, very similar to the approach by the EU. Both of these proposals began with President Obama pressing Congress in his State of the Union Address to pass comprehensive cybersecurity legislation that would help protect against cyberattacks.
Currently, there are 47 state-level data breach notification laws that a company may need to comply with if it suffers a data security breach, some of which are in direct conflict with each other. This means that a company suffering from a single data breach incident may find that data breach notification laws in some states are triggered, while laws in other states are not.
Furthermore, in the ones that are triggered, differing notification obligations may exist. Deciphering the legal complexities of disparate privacy and data security laws is resource intensive – both in terms of personnel, time and money spent. Many commentators question whether such activity actually achieves the needed result, which is a more secure system.
The White House proposal, however, calls for a single, national law requiring companies to report a breach within 30 days. For companies trying to comply with a multitude of state laws, the uniformity and simplicity of the proposed national data breach notification law may be welcome.
While President Obama’s proposals are not as universally far-reaching as those in the proposed EU regulation, they are a significant step closer to uniformity in data protection and cybersecurity laws than the U.S. has previously seen. However, concerns have already arisen as to whether the proposed federal law would only be ultimately be a simplifying force. This is due to the uncertainties surrounding its ability to preempt state law and questions of whether states would be able to adopt more stringent laws than those required under federal legislation.
As multinational companies keep a close eye on the evolving data protection laws in the U.S. and EU, security remains top of mind for all industries. Recent hacks such as the ones perpetrated on financial institutions like JPMorgan Chase and companies like Sony, continue to cast doubts on the ability of enterprises to keep their networks and data secure.
With this in mind, it benefits American multinational companies to assess their security measures and think differently about how to protect one of their most valuable assets – their data – or face the many consequences. So what will it take?
The right tool
Companies need to consider a data security solution that is distributed in the same manner as their data and infrastructure – across physical, virtual and cloud environments. The right tool should give them visibility, control and threat defense within the data center to help them quickly detect that they have been breached, understand the extent of the breach, and identify how the cybercriminal got in so that they can put policy and safeguards in place to prevent future occurrences.
An easy solution to manage
Companies are overwhelmed with managing a number of complex security tools and un-scalable hardware-based perimeter solutions. Compounding the challenge is that many of these companies lack in-house, deep security skills, which creates gaps that expose companies to risk. For companies, a security tool that is automatic, scalable, comprehensive and intelligent is the key to making security digestible for all.
A holistic effort
It is time for companies to think broadly and make holistic effort to bring together all internal stakeholders in order to not only deal with security issues companies are continuously facing, but also the legal and regulatory hurdles they will soon face. The mounting impact of facing multiple breaches a year, coupled with coinciding fines could cripple companies that don’t comply – both in reputation and business practice. This will only happen once the right security measures are in place and operational processes are set in motion that will allow the security conversation to break out of the IT bubble and become part of C-level conversations.