The European Union General Data Protection Regulation (GDPR) is scheduled to go into effect in May 2018. This directive has significant implications for any company that offers product or services to EU residents. In the following guest post, Keith B. Daniels, Jr., Esq., an attorney and the founder of CyberCounsel, takes a detailed look at the EU directive and reviews its implications for affected companies and their insurers. I would like to thank Keith for allowing me to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Keith’s article.
On May 25, 2018, the European Union General Data Protection Regulation (GDPR) will go into effect in the 28 EU member states. It will require every multinational company that offers products or services to European Union residents comply with a strict set of data privacy and security measures. These requirements will apply equally to those companies’ business partners and calls for the use of emerging technologies and systems design concepts that may be new to U.S. information security professionals. This will establish essentially global regulation with huge potential financial penalties and criminal penalties for non-compliance possible.
GDPR is not just an EU-specific regulation – every EU citizen’s private data, regardless of where it is stored, must be protected. In today’s world of Web-connected businesses, even small organizations not located in the EU may have customers from EU countries and are, therefore, subject to aspects of GDPR. Storing the personal data of just one EU customer means that not complying with the GDPR’s stringent new rules can result in huge fines, and maybe even criminal charges.
In May 2017, a troubling Compuware study showed that only 60% of U.S. companies had plans in place to respond to the demands of GDPR, while 94% possessed customer data for citizens of the EU. At that time, 85% of the survey respondents said it was difficult to know exactly where data resides, which is a key component of GDPR.
In November 2017, TrustArc and the International Association of Privacy Professionals, surveyed almost 500 privacy professionals to gauge the pace of compliance with various elements of the GDPR. They concluded that U.S. companies are more prepared for GDPR Day than European corporations, with 84 percent of American respondents expecting to be GDPR-compliant by May 2018. Conversely, more than 25 percent of European professionals said they will not be ready by GDPR Day. According to respondents from the EU, an inadequate budget is the biggest barrier they face, while U.S. respondents said legal complications will make compliance more difficult.
Given the requirements of GDPR, above and beyond the current regulatory regime, what should a board of directors do to be GPDR-compliant? The board of directors must take a leadership position in moving an organization into compliance. Rather than passively relying on others to understand the issues and resolve them, the board must become more involved and should start by asking questions about their organization’s level of readiness for GDPR, and consider allocating resources to ensure the company is compliant by the deadline. Given the reach of GDPR, it touches on organizations of all sizes and non-profits, too.
Unfortunately, most boards are not cyber-savvy. A recent article in the Harvard Law School Forum on Corporate Governance and Financial Regulation strongly suggested that the board itself create a board committee focused on cyber risk and cybersecurity that covers the gamut of potential threats from both internal and external parties, including strong data protection capabilities. The article makes it clear that directors need to deal in specifics, rather than an “overview” approach
Another recent article reported that only 5% of companies on the Financial Times Stock Exchange (FTSE) have cybersecurity expertise on the board. In addition, Accenture has found that only 6% of the directors at the world’s largest financial institutions have technology expertise. The percentage of directors with technology expertise in North America is hardly better, with only 12% of directors having a professional technology background, according to the Accenture report. Clearly, boards of businesses large and small are going to have to build or acquire new cybersecurity skills going forward.
Not only is GDPR of interest to multinationals and their US business partners, but to the underwriters of cyber liability and management liability insurance policies. Underwriters will want to be confident that their insureds are making timely strides toward compliance. If companies fail to comply, significant penalties can ensue, as well as reputational damage and unhappy shareholders may sue the directors and officers of such organizations not to mention other potential ramifications could result.
While organizations prepare for GDPR, A.M. Best reported on June 26, 2017 that the loss ratio for cyber products has improved over the past year and is now at 46.9%, thus overall the cyber lines of business are now profitable. If GDPR losses begin to occur, this trend could reverse. If so, we can expect changes to occur in cyber liability coverage terms and upward pressure on pricing. If directors are personally found liable, that may implicate their Directors & Officers coverage, too.
As a result, IT leaders in many multinational companies have commenced the process of making changes to their information infrastructure to meet the requirements of the GDPR which replaces the European Union’s prior data privacy and security regime, the Data Protection Directive 95/46/EC (the “Directive”). The Directive, enacted in 1995 was primarily applicable to organizations located in the EU. It set a high bar for the protection of personal data but proved inadequate to deal with changing technology. A fundamental limitation of the Directive was that it did not require EU member states to pass one standard text into law. Instead, it directed states to pass legislation based on a set of data privacy principles, resulting in a unique version in every state. As a result, implementation and enforcement varied widely in the EU.
Conversely, the GDPR is binding on all EU members as enacted and, at 88 pages, is designed to address the disruption to data privacy wrought by the rapid evolution of information technology and business models over the past 20 years. In about six months, the regulation will be enforceable by the data protection authorities (called “supervisory authorities”) of member states. While multinational companies can likely meet some of the GDPR’s requirements now, most will find that they need all the available time before inception to be completely ready.
The penalties for the violation of existing privacy regulations in EU vary among member states, with the potential for fines in the €150,000 to €900,000 range. In many matters involving privacy violations, supervisory authorities had little recourse against large, well-funded multinationals who viewed such fines as merely a cost of doing business under the Directive. This changes in the GDPR, under Article 83(5) those authorities can impose fines of up to €20million or 4% of the offending company’s global annual revenue, whichever is higher. GDPR also reinforces the potential for criminal prosecution to be sought against directors and officers for deliberate breaches. Simply put, board member can be jailed.
Definitions of personally identifiable information (PII) vary among US jurisdictions and, at the federal level, among agencies. Presently, directors and officers are not faced with the prospect of criminal charges for failing to PII. The National Institute for Standards and Technology (NIST), for example, defines PII as:
Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
GDPR defines personal data similarly but expands it by including a person’s “identity” in other contexts:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person[.]
These additions to the definition of PII are important because they implicate data that may not seem to be personal. Things like IP addresses, application User IDs, Global Positioning System (GPS) data, cookies, media access control (MAC) addresses, unique mobile device identifiers (UDID), and International Mobile Equipment IDs (IMEI) are some examples.
Therefore, organizations and third parties that “process” this data will have to do so with a legal basis that is listed in the GPDR. For example, using software to travel through a network to inventory software for licensing purposes is considered processing of personal data (application User IDs) and implicates the regulation.
The regulation requires data “controllers” (the entities that have the last word on how the data is used) to “implement appropriate technical and organisational measures” to protect personal data. This phrase appears 21 times in the GPDR. The regulation cites as examples the general “ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems” and the more specific “encryption” and the “ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident.” The regulation is asking controllers to employ information security frameworks, which enable professionals to create consistent, repeatable processes and implement controls that are generally accepted by the information security community.
Also, as some commentators have noted, companies subject to the GDPR who do business in the US may also find that the rules and regulations applying to private data in the U.S. may not fit seamlessly with parts of the GDPR. 48 states, with New Mexico being the most recent state, now have data breach notification laws in place.
As part of GDPR, many types of personally identifiable information (PII) will be protected, such as banking information, health records and government identity records, as well as any data that can be tied back to a data subject such as geo-location data from a cell phone, home address or data from a medical device. Organizations will need to gain a complete picture of all data that is collected, stored or processed. After that, companies must ensure that adequate means of protecting that data have been implemented, such as access being restricted to authorized personnel, proper authentication being used, proper procedures for backing up and archiving data and data retention and destruction policies. In addition, any third parties that have access to the data must be evaluated to ensure they too have adequate controls in place.
Clearly, insurance companies and other businesses, such as those in financial services, which currently mine private information to market their products will be closely monitored under the GDPR.
The regulation also features notification requirements modeled loosely after U.S. breach notification laws – the biggest difference being a new 72-hour time frame. Given that most breaches are not immediately discovered, and the extent of a breach can take time to determine, this could be a challenge for many entities and may be shorter than the time allowed by pertinent state law.
The U.S. does not have a federal data protection law. Data protection measures are set forth in numerous state laws and regulations. Breach notification, for instance, is not mandated by federal law. Instead, it comes down to numerous state laws, California and Massachusetts being known to have some of the most stringent requirements and New York having its requirements for financial services organizations. 48 states now have data protection laws in place.
Organizations based in the US that hold data on European customers now have the daunting task of being compliant with applicable U.S. regulation, while ensuring that they are compliant with GDPR. The GDPR’s requirements for data protection are in concert with most regulations in the U.S. There is nothing in the NIST Cybersecurity Framework that conflicts with the data protection practices required by GDPR.
Should the data of Americans and Europeans be segregated in different systems? This could be problematic as U.S. courts rely on precedent in case law to establish a best or common standard of practice. If EU data is better protected than U.S. data, that could lead to potential liability in civil courts.
One solution may be to create a unified compliance regime that accommodates both arenas. This will entail increased information lifecycle management (ILM) efforts according to Richard Stiennon, Lecturer at Charles Sturt University (here). Through an in-depth ILM approach, he proposes that organizations will be able to better manage the immense amounts of data and metadata collected through an information system, tracking it from creation and initial storage to the time when it’s no longer needed and is destroyed, while at the same time providing specific criteria for managing the data storage. There will be automated processes to classify data into tiers according to policies. This will enable companies to automate the migration of data from one tier to another based on the criteria within the policies.
Only data that has been explicitly asked for should be kept. All other data, such as time and geo-location, will likely be classified as PII under GDPR. During the data storage process, long term archiving care should be taken to understand where it all resides. Will some data be with a third party? Who can access it? Are there backups? It will be necessary to know the answers to be compliant with the GDPR.
In conclusion, an organization’s CEO and Board of Directors are responsible for GDPR compliance as well as complying with American laws. They must ensure that practices are balanced with all cybersecurity and data privacy regulations that apply to their organization. If not done properly, organizations will leave themselves vulnerable to huge fines and criminal consequences under the GDPR, damage to their public reputations, the possibility of additional penalties in the U.S. and securities lawsuits. Multinationals and their US business partners can expect to have to answer underwriters’ queries as to their compliance with GDPR when they are buying or renewing their cyber liability and management liability policies for the next several years.
As the number and breadth of massive data breaches increase, pressure will build on politicians to enact new statutes and regulations with a focus on making corporate management and boards responsible parties for protecting personal information. GDPR is going to be an important “test case” that other countries and jurisdictions will watch closely. New regulations and statutes such as GDPR are mandating that boards and individual directors become focused and engaged on cybersecurity issues. Now, individual directors may be personally responsible for cybersecurity-related issues. There is currently a lack of cyber knowledge on boards of directors in general.
It is unlikely that the threat of holding individual directors responsible for cybersecurity will abate. Data breaches which are reported almost daily have raised the general level of distrust of “big business”, such as the recent criticism of the officers of Experian and Uber and many others before them, and a corresponding increase in the desire to hold top executives personally responsible. In response to these trends, directors must increase their cybersecurity skills, engagement and awareness to comply with the GDPR and the likely next wave of cyber laws and regulations.
Cyber and D&O underwriters will also be closely monitoring these developments and we can expect changes in policy forms to occur as the risks evolve and any negative loss trends become apparent.
Keith B. Daniels, Jr., J.D. is a graduate of the University of Wisconsin Law School and has worked as coverage counsel handling management, professional liability, employment practices and cyber liability claims, as an underwriter and as developer of cyber and technology insurance products for Lloyds of London and US carriers. He has also spearheaded the development of management liability and professional liability forms. He is the founder of CyberCounsel and provides independent advice to carriers in the development of new products and the assessment of market opportunities and to entities interested in an independent evaluation of the adequacy and scope of coverage for cyber and other specialty lines of coverage. He can be reached at 715-379-6511 or at firstname.lastname@example.org.