Council Foundation Logo Leaders Edge

December 7, 2017

The European Union’s (EU) General Data Protection Regulation (GDPR) comes into play on May 25, 2018, and does not solely affect companies operating in the EU. Under the GDPR, the EU data protection law will, for the first time, apply directly to many U.S. and other foreign companies that target the EU market from abroad, including insurance “intermediaries” holding data of EU citizens. The GDPR also establishes rights for EU citizens that currently do not exist in the U.S. – restriction of processing, access to data, data portability, right to erasure and failure to comply can result in massive administrative fines and other penalties.

Organizations appear to be in different stages in the compliance process. According to a recent Deloitte Benchmarking Survey, organizations are taking a “wide range” of readiness approaches. However, just 15 percent of organizations surveyed expect to be fully compliant by May 2018. The costs associated with compliance also vary – 39 percent of organizations reported spending less than €100,000, yet 15 percent reported spending more than €5 million, with no correlation between an organization’s size (or industry) and compliance cost.

For more information on the EU’s GDPR, request a recording of Steptoe & Johnson’s recent webinar: The Global Reach of GDPR: (Part I) The Long Arm of the New EU Data Protection Jurisdiction.

This trailblazing legislation falls in line with Europe’s stricter position on data security, but legislation in the states will follow suit. The NAIC recently adopted its Insurance Data Security Model Law, and on February 15, 2018, “covered entities” will be required to submit the first certification under the The New York State Department of Financial Services (NYDFS) Cybersecurity Rule.

Most recently, and only days after the discovery that Uber paid hackers $100,000 to destroy the data from a 2016 breach and failed to report it, three senators introduced the Data Security and Breach Notification Act, which would require companies to disclose data breaches within 30 days. This legislation would replace the 48 various data breach notification laws on the state-level, a position The Council supports.

Companies Fall Short Across the Board: New Report Reveals

Risk Cooperative’s 360 Cyber Risk Survey reveals there is a lack of leadership support and understanding of the overall cyber risk landscape. As senior leadership and board members become increasingly liable for their organization’s information security practices, a sound understanding of cyber risk is more important than ever.

The report also reveals that organizations lack information security personnel and an appropriate budget to cover information security due diligence.  Outdated systems and infrastructure also contribute to the problem.