PwC’s data protection experts have been swift to outline how the proposed reforms to the European Union’s 1995 data protection rules published by the European Commission will impact businesses and individuals.
Lisa Banyard, PwC’s data protection leader, told Info4Security: “Implementing the proposals will present an increased administrative burden for businesses. Under the changes, organisations would be operating under a tougher regime where they would face increased accountability and heavier fines which could add up to 2% of worldwide turnover for the most serious breaches.”
Banyard added: “In a move clearly aimed at those operating on the Internet, organisations dealing with personal data about EU citizens would be accountable even where they are located outside the EU. Historically, fines imposed in the UK for data breaches were fairly small but, going forward, this could change dramatically. Organisations will have to demonstrate how they’re complying with the law by having proper policies and procedures in place. Sticking a privacy policy on the website will no longer be sufficient.”
In conclusion, Banyard commented: “The introduction of compulsory breach notification means companies have to report losses to the Data Protection Authority within 24 hours, and that’s going to be tough for some companies to adhere to. Those that don’t already have a well-oiled reporting mechanism in place will need to implement measures to be able to flag breaches in time.”
The Confederation of British Industry (CBI) has aired its views on the European Commission’s proposals. Matthew Fell, the CBI’s director for competitive markets, said: “In an increasingly digital age it’s important that consumers and employees are confident of their data protection rights, and this is also in businesses’ interests. However, at a time when we should be boosting business confidence and encouraging innovation in digital services, these proposals will interfere with the relationship between businesses and their customers, and only add to costs. We see no reason for such a radical overhaul when existing data protection legislation remains fit for purpose.”
Shifting power to the individual
Jonathan Nugent – a data protection specialist in PwC’s legal operation – explained: “The new proposals will shift power into the hands of individuals. In theory, once the proposals are implemented it should be much easier to access, move or delete whatever personal data companies hold on you. The new ‘right to be forgotten’ will mean you can request that any personal data you’ve ever published about yourself online is deleted, and the changes will provide greater protection for personal data about children.”
Nugent stated: “The new right to data portability will also place an obligation on website providers to ensure that data exists in a format that allows individuals to transfer their information to an alternative service provider. It would apply to social networking sites most notably. For example, the fact you might have invested a lot of time building up your profile on one networking website would not matter as you would easily be able to move everything you have posted from one site to another.”
He added: “International businesses will welcome the moves to provide a more coherent framework for data protection laws in Europe, and the provision that companies only need to comply with the law of the country where their main headquarters is established.”
Overriding individual national rules and the original regulations drawn up in 1995, these EC guidelines will for the first time dictate how companies can use and store personal information. Clearly, the impact will be tangible.
How and why personal data is being used
Lior Arbel, director of strategic data security at Websense, told Info4Security: “These new rules will have an enormous impact on how companies and websites look after users’ personal data. This will mean that any customer records and internal Human Resources lists will have to comply with the new rules, and companies will need to be able to demonstrate how and why they are using personal data. Businesses will now have to take further steps in order to safeguard their data as nobody will want to have to admit being caught out by hackers.”
Arbel went on to state: “By taking active steps to trace inbound as well as outbound data leaks, and having the visibility of where important and valuable data sits, companies can mitigate the risk of exposure. Data loss is a costly experience not only in monetary terms for the fines levied, but also in terms of negative impact on an organisation’s reputation.”
He concluded his statement by saying: “In this time of ever-changing online attacks, companies will have to ensure their defences are up to scratch as it will be their reputation and the trust of their customers and employees on the line.”
Charles Race – senior vice-president tasked with global sales strategies at Informatica has very strong views on the subject.
“The 21st Century data explosion is in full swing,” opined Race, “so it’s no wonder that breaches and abuse of personal information is top of the agenda for the EU. As consumers, patients, customers and social networkers our personal information is stored in countless places outside of our control. Overhauling EU privacy rules puts the right level of pressure on organisations to ensure that they’re in total control over valuable information. This is for the good of themselves and their customers.”
Race continued: “Businesses will need to re-evaluate what steps they have taken to prevent data breaches in the first place, and I expect we’ll see the likes of data masking technology come into its own this year as a direct result of that. This enables organisations to implement more sophisticated tools and parameters that protect against data breaches.”
The strategist added: “Already the subject of stringent regulation and the risk of hefty fines from the Financial Services Authority, in the wake of these new standards the financial services industry in particular will be feeling the heat to make doubly sure that its data security measures are up to scratch.”
What’s the ‘elephant in the room’?
The director of European operations at FireEye is Paul Davis. He too has commented on the EU privacy laws announcement made by Vivian Reding, the EU justice commissioner.
“It’s all well and good to legislate that companies must notify the public and the authorities within 24 hours or face a fine of 2% of their global revenue, but the ‘elephant in the room’ is that most companies are unable to detect external targeted attacks leading to data loss,” urged Davis.
“The protection of information is critical to business and the establishment of trust with customers and the notification of data breaches is important, but detection and blocking of exploits should take precedence.”
Davis continued: “An organisation has to be aware of an attack and they cannot report a data breach of which they have no knowledge. That’s the real issue facing businesses today. Just because they cannot see an attack or are unaware of the subsequent loss of data doesn’t mean it isn’t happening.”
Reporting within 24 hours of discovery is admirable, according to Davis, but if the company wasn’t aware of the breach for 24 days then where do all involved stand?
“A greater emphasis on detection and blocking is required: it’s better for businesses and, ultimately, the customer.”
Compliance offers a competitive advantage
Compliance and security management specialist RandomStorm has also made commented on the new European Union Directive.
Andrew Mason, co-founder and technical director of the company, pointed out: “When the EU data protection law comes into force it will significantly increase the financial penalty faced by enterprises. That being the case, compliance will offer a competitive advantage because shareholders and customers will demand information security.”
In an impassioned comment, Mason stressed: “Many people are concerned about 2% of global turnover being levied for breaches. However, a company would need to have a GB pound 25 million turnover to incur the maximum GB pound 500,000 fine currently faced by all UK organisations that breach the Data Protection Act. So, under the new EU rules, smaller companies could actually face a lower fine for failing to protect data. The real penalty of a data breach will always be the loss of reputation and customers.”
Andre Stewart, the president at Corero Network Security, had this to say on the matter…
“Personal data is not just about who you are, it’s where you go and what you do. Our ‘cyber lives’ are now so intimately linked to our actual existence that the value of this information is immense. Facebook identities in the criminal cyber bazaar are now more valuable than credit card particulars. There’s no recourse for the individual whose personal data is stolen and therefore the obligation to safeguard confidentiality must be made explicit, and accountability spelled out.”
He stated: “The new data breach laws try to do just that – prescribe and homogenise the rules across the EU with the stated aim of encouraging business growth as well. The question remains as to whether the law will tread the fine line between achievable data protection and compliance requirements?”
Either way, Stewart concluded: “The new rules say personal data is valuable. Safeguard it. Make someone in your organisation responsible for protecting it… and if you don’t comply you’ll pay because not only can you get hacked, you will be fined as well.”
Real implications of data theft have been felt
Jeff Finch, the security services product manager at Interoute, commented: “The new EU privacy rules are a clear signal that the real implications of data theft have been felt. The impact on a citizen once their personal data falls into malicious hands is more than distressing, yet incidents of organisations holding vast quantities of personal data without the recourse of systems and policies to enable the protection of that information have been an all-too-prominent part of our daily lives. The onus is now on organisations to find a solution that can protect them from potential direct attacks and information leakages.”
Finch outlined: “There is some good news for businesses in Europe. The collation of harmonised data protection rules across 27 countries will without a doubt save organisations from a headache. Piecing together differing national data protection laws will have felt like one massive patchwork task for organisations, especially as the introduction of cloud computing placed question marks over the exact location of data.”
As far as Finch is concenred, the next step is to look for harmonisation with laws in other countries like the US, where the Patriot Act enables authorities to search telephone, e-mail and financial records without a court order.
“Thus, understanding where data resides and in whose data centre will continue to be a crucial part of corporate governance for organisations,” suggested Finch.
Rob Rachwald, the director of security strategy at Imperva, has also voiced his own opinions on the EU data protection law proposals.
“The new EU privacy law takes a good step forward for privacy,” he explained. “The ability to control and even delete individual data profiles is a needed move. However, the proposal doesn’t do enough to protect data. Since it mainly proposes fines, it will not help keep EU citizen data safe from hackers or insiders.”
Such approaches have not met with great success in the past. “Rather, the EU should put in place fines coupled with a more prescriptive approach, identifying specific actions firms should take to protect data. The payment card industry, PCI, adopted this approach and has managed to lock down data better than any regulation in existence today.”
Reaction to the most striking measures
The director of sales EMEA and APAC for Imation Mobile Security is Nick Banks. He feels that, while it’s encouraging to see EU legislators tackling the issue of data breaches with these new proposals, the success of the directive will rest on companies’ reactions to the most striking measures (such as the plan to fine firms 2% of global turnover for data breaches).
“The Information Commissioner’s Office was empowered to hand out large fines in 2010,” said Banks, “but the new penalties seem to have had little impact on data breaches, perhaps because relatively few fines have been imposed. This may be due to fears that financial penalties are inappropriate for offences in the public sector, since taking funds away from already stretched budgets could simply exacerbate data security issues. Still, the hope must be that the scale of these new EU fines finally forces a change in organisations’ attitudes towards data security in the years before the directive comes into force.”
He continued: “The ultimate aim of this legislation should not be to levy large fines but rather to drive new behaviour for organisations across the EU to think about implementing systems or processes to reduce the rate of serious data breaches. The responsibility must also rest with individual companies to implement clear internal policies and systems, including encryption and strategies for identifying and dealing with data breaches. Identification will be particularly important in light of the EU directive which will force firms to give notice of a breach within the first 24 hours.”
To conclude, Banks told Info4Security: “Staff training on how to deal with secure data will be equally important, and every employee charged with handling sensitive data should be given the appropriate equipment and knowledge to safeguard against human error and accidental breaches. Legislation alone will not automatically prevent data breaches so the onus is now very much on companies to take responsibility for data protection.”
