As we talk about in our webinar, “Data Security: Preparing for the Compliance Landscape of Tomorrow,” the compliance landscape is rapidly shifting. The draft EU General Data Protection Legislation will have a widespread impact on multinational organizations, while the regulatory environment continues to rapidly change at the Federal and State levels in the US. More regulators are stepping up to investigate organizations and levy fines, often overlapping. From the FCC to the SEC, from the FTC to HIPAA, juggling compliance is more difficult than ever before.
EU’s General Data Protection Legislation
The draft EU General Data Protection Legislation extends the scope of the EU data protection law to all foreign companies processing the data of EU residents. With regard to data breaches, the Data Protection Authority (DPA) would need to be notified within 72 hours after discovery, with individuals to be notified if adverse impact is determined. The law could impose sanctions up to 1 000 000 EUR or up to 2% of the annual worldwide turnover, whichever is greater. Adoption for this new legislation is proposed for 2015, with enforcement by 2017. We share more insights from this proposed legislation in our webinar.
Shifting Federal & State Requirements
The legal environment is shifting rapidly in the US as well. The National Cybersecurity Protection Act of 2014 (NCPA) was recently signed by the President on December 18th, codifying the existing cybersecurity operations centre in the Department of Homeland Security and creating a federal agency data breach notification law which outlines how affected individuals and congressional committees are to be notified post-breach. Agencies are required to have data breach notification policies that are not only implemented but periodically updated.
New Jersey’s Bill A3146, if approved by the Senate, would expand the state’s law to include a breach of security of online accounts. New York’s Bill A10190 would amend Law 899-aa and require organizations to maintain a comprehensive information security program to protect personal information. Currently, there are only 3 states without a data breach notification law of some sort: Alabama, New Mexico and South Dakota. Organizations often find themselves subject to the laws of many States, not just for where they are located, but also where customers are. TD, for example, found itself coming to settlements with various States subsequent to its own data breach in 2012, with litigation still ongoing.
New Regulators Step Up
The Federal Communications Commission (FCC) recently imposed a $10 million fine against two telecom organizations. The Securities Exchange Commission (SEC) has voiced its intention to issue fines to organizations for not properly reporting data breaches. Governing bodies across all industries have stepped up to both examine and investigate organizations for data security protections. Organizations may now find themselves subject to multiple independent investigations and, in the case of data breach, subject to multiple fines.
The Outcome is Long and Costly
When it is found that your organization has failed to implement proper data protections, you could now find yourself subject to investigations and fines from multiple regulatory bodies for the same data breach event. Investigations and litigations related to a data breach can take years to resolve.
Changes to the regulatory landscape, paired with increased data security risks, the rapid pace of change in technology and more complex employee demographics, has created a complex environment for IT data security. Learn how Absolute Software can help your organization navigate the choppy regulatory landscape and to mitigate data security risks here.