Not a day goes by it seems, without the press unveiling another IT security breach or a new strain of virus or ransomware. The potential impacts of cyber-crime are devastating. Unsurprisingly, governments around the world are stepping up to ensure businesses know they need to take cyber security seriously.
Security in any form is always a game of risk management, a balancing act between the very real costs of building defenses, and the potential costs of a breach that may or may not happen. Those potential costs actually have multiple factors of uncertainty: what are the chances a breach will occur, and what would that breach end up costing if it did occur. The “what would that end up costing“ part has long been hard-to-measure things like loss of goodwill, but the trend towards more measurable costs is picking up steam.
When large companies experience cyber security breaches, there can be significant drops in share price and revenue. Those aren’t unrelated: customers worry about their personal data and look for other options, and investors fear the double whammy of additional security spending along with the aforementioned loss of revenue, and sell off stock holdings. But it’s still an if, and there’s still a lot of uncertainty. No one can predict exactly how many customers will leave, or how many investors will sell their holdings, or what effect either of both of those might have on share price or market capitalization.Early privacy and security legislation left similar uncertainty. For example, Canada’s Personal Information Protection and Electronic Documents (PIPEDA) Act, which came into effect in 2000, requires that personal information be safeguarded, but sanctions or remedies for failure to comply are unspecified and would come through the court system. But perhaps the turning point is here. What we’re now seeing is an increase in very concrete, very measurable costs.
Security Regulations and Penalties around the World
Australia’s Notifiable Data Breaches (NDB) section of the Privacy Amendment Act came into effect in February of 2018, and requires that organizations notify individuals at risk of being harmed by that breach. Penalties can be as high as AU$2.1 million for organizations. That’s significant given that the provisions apply to virtually all organizations with annual revenues over as little as AU$3 million.
Over in the UK, the government just last month released its response to months of public consultation over securing Network and Information Systems (NIS) directive, and appropriate penalties for non-compliance. NIS applies to the information security of “essential services” like energy, drinking water, transportation, and health networks. If you thought AU$3 million sounds like a lot of money, make sure you’re sitting down for this next bit. The UK upper limit for penalties is £17 million! It should be noted that while the NIS directive stems from a European Union-wide initiative, the UK has developed its own NIS version, and will be enforced even if/after the UK leaves the EU.
And speaking of the EU, that organization’s General Data Protection Regulation (GDPR) wields perhaps the biggest stick of all. Approved in 2016, GDPR comes into full effect in May of 2018, and regulates data privacy and security for the personal data of “natural persons” in the EU. And unlike most other cyber security regulations, its reach extends beyond the geographical boundaries of the EU itself. Any organization that processes, transmits, or stores the personal data of EU data subjects (in GDPR terms, data processors and data controllers) needs to comply with GDPR. That’s regardless of where the processing, transmission, or storage occurs, and regardless of where the data controller or processor does business or is headquartered. And the penalties for non-compliance are the greatest we’ve seen yet: up to 4% of annual global revenues or €20 million, whichever is higher.
Clearly, governments around the world are taking cyber security increasingly seriously, and implementing legislation with teeth to ensure comply. Only time will tell if this spurs organizations to actions that reduce the number of headlines we see about security breaches.
Curious about how these regulations affect your business? Micro Focus has dedicated resource pages on GDPR here and here, or talk to us live at Micro Focus Universe or RSA 2018. If you can’t make a date with us in person please feel free to Contact Us. We’d love to help you!