It now looks as though the draft EU Data Protection Regulation is unlikely to go before the European Parliament before May 2014, and is therefore unlikely to take effect before late 2015. Although some key issues remain around the negotiations, it is clear that the regulation will result in far-reaching changes to data protection law throughout the European Union. Businesses should be considering now whether they will be equipped to deal with the likely changes, particularly if they are entering into long-term contracts relating to the outsourcing or sharing of data.
Two of the most significant changes are the obligation to report all data security breaches to the relevant national regulator within a very tight deadline after discovery (current discussions are between 24 and 72 hours) and the level of fines that can be levied following a security breach. If a breach cannot be reported with sufficient information within the relevant timeframe, the data controller must be able to explain to the regulator why this is the case. This will place significant obligations on an organization’s ability to identify the scope and scale of breaches very quickly.
Currently, fines levied by most national data protection regulators in Europe are very limited. The proposal in the draft regulation is that fines of up to the greater of €100,000,000 or 2% of turnover for the most serious breaches could be implemented. Even if fines actually levied in practice for serious breaches are only a tenth of the current proposals, these would represent very significant increases on the current regime and entirely change the potential impact of data security breaches on companies.
The fact that fines for breaches may, in the future, have a very material impact on profits means that businesses will need to rethink information security policies and consider whether they are taking the right approach. For example, businesses should consider whether to place the impact of potential breaches at the forefront of their policies. This might involve categorizing data according to risk to data subjects, and analyzing what that data is used for in the organization and who has access to it. It also means that businesses will need to be conscious of the shifting parameters when it comes to the permitted use of data, and should continually test whether it is only being used for its defined purpose. This exercise will allow businesses to more accurately assess the potential risk if a security breach does occur, and put in place appropriate security measures early on.
Such a re-evaluation will also allow CISOs to more quickly asses what has happened when there is a breach and, combined with early detection technology, arm them to rapidly respond to regulators. If a substantial fine is levied, it should in turn assist in both internal reviews and dealing with external stakeholders, such as shareholders whose position may be financially impacted by a large regulatory fine.
Regulators will increasingly expect organizations to quickly identify the scope of a breach, take appropriate steps to control it and, if appropriate or possible, regain control of data. Whether regulators themselves will be equipped to deal quickly with this information though is another matter. Many companies believe they are equipped to respond to a breach in a way that provides sufficient information to a regulator within the timescales being discussed for reporting under the draft regulation. My experience, however, does not bear this out. In addition, it is often the case that the majority of breaches are not discovered for some months and are often the result of third parties informing the victim organization of a breach. There is therefore clearly a long way to go for many businesses in putting in place adequate information security measures, and the new reporting and fines regime will only place further pressure on CISOs to do so.
In addition to their own breach identification and reporting obligations, companies will need to consider whether they have the right contractual arrangements in place. Outsourcing of data management continues to increase, as is the sharing of data. We have seen some very good, and some very bad, contracts in terms of the rights granted to audit and obtain information. These will impact the ability to investigate a breach, and the ability to pass on regulatory fines or claim damages where a contracting party may in fact be the entity responsible for events that led to a breach.
The current draft regulation will make it critically important for organizations to quickly obtain information from relevant contracting parties when there is a security breach. The scale of fines under the draft regulation will also mean an increase in disputes between companies as to who is at fault for a breach. Given the long-term nature of some agreements governing data, organizations need to consider these issues sooner rather than later, to ensure that they are in the best position possible if there is a breach after the regulation comes into force.
Paul Glass is a senior associate at international law firm Taylor Wessing, specializing in IT, financial/banking disputes, contentious data protection issues and contentious regulatory investigations, as well as advising on general commercial disputes across a range of areas. He has advised on a number of very substantial data security incidents over the past five years for a range of clients, from private companies in the UK to global multi-nationals.
Glass is also experienced in dealing with regulators (including the FCA, ICO, FRC and SEC) both in relation to regulatory investigations and disputes with associated regulatory issues, and is well versed in the cross-over between disputes and regulatory investigations.