In the EU, the  European Parliament adopted the General Data Protection Regulation  (GDPR) in 2016. The  regulation will come into effect on May 25, 2018. The aim is to standardize  data protection regulations across the EU. The GDPR applies to organizations  that collect or process data from EU residents. What you may not realize, is  that organizations based outside the EU also will have to conform if they  collect or process “any information relating to an individual, whether it  relates to his or her private, professional or public life.” That includes everything  from relatively innocuous details to highly private information, including names,  home addresses, photos, email addresses, bank details, social media posts,  medical information, or an IP address.

Data  protection legislation isn’t only evolving in the EU. In New York State, 23 NYCRR Part 500 became effective on March 1, 2017,  with a two-year transitional period that ends on March 1, 2019. The law  requires “Covered Entities” such as New York insurance companies, banks, and  other regulated financial services institutions – including agencies and  branches of non-US banks licensed in the state of New York – to assess their cyber  security risk profile and create a robust program to addresses those risks. The  23 NYCRR Part 500 law places the burden on a company’s senior management, which  must file an annual certification confirming compliance with the law.

Let’s take a  closer look.


Preparation  and debate on GDPR started in 2012. It was approved by the EU Parliament on  April 14, 2016 and became law 20 days after it was published in the EU Official  Journal. That started the enforcement countdown clock. When the law goes into effect on  May 25, 2018, organizations that do not comply will risk significant fines in  the event of a data breach.

With 28  member states, the EU had an array of country-specific data protection  regulations. The GDPR standardizes data protection regulations across all member  states. For clarity, the  United Kingdom will still be a full Member State of the EU when the GDPR comes  into force, and indications are that it will mirror the GDPR in national  legislation after Brexit.

For clarity, the United Kingdom will still be a full Member State of the EU when the GDPR comes into force, and indications are that it will mirror the GDPR in national legislation after Brexit.

Here is a  summary of some important notes about the new GDPR law:

  • Companies must take adequate technical and  organizational measures to protect data.
  • Companies will have to notify authorities within  72 hours of discovering a personal data breach if the breach is likely to cause harm to the people  affected. In serious cases, companies must notify every person whose  data was compromised.
  • Under current data protection laws, the maximum  fine for a personal data breach is capped at five hundred thousand Euro  (€500,000). The GDPR will substantially increase these fines to a new maximum  penalty of ten million Euro (€10,000,000) - or two percent (2%) of total  worldwide annual turnover - whichever is the higher.
  • The Netherlands is one of a few countries that  have already put laws into place to reflect these new requirements. Its Dutch  Personal Data Protection Act took effect on January 1, 2016.
  • Companies based outside of the EU that provide  goods and services into the EU will also have to comply with the GDPR.

23 NYCRR Part 500

In New York  State, new cybersecurity requirements for financial services companies, known  as 23 NYCRR Part 500, will take effect in stages, starting on August 28, 2017. The  aim of this new legislation is to protect consumers and to “ensure the safety  and soundness of the institution” as well as New York State’s financial  services sector. Other parts of the law take effect over the next year and a  half, as follows:

  • February 15, 2018: Deadline for submission of  the first certification under 23 NYCRR 500.17(b), which requires an  organization notify the superintendent of financial services of any  cybersecurity event within 72 hours.
  • March 1, 2018: This marks the end of the one  year transition. As of this date, organizations will have to be in compliance  with sections of the law that cover reporting, pen testing and vulnerability  assessments, risk assessments, multi-factor authentication, and training and  monitoring.
  • September 3, 2018: At the 18-month mark,  organizations must comply with the requirements of sections that cover audit  trails, application security, data retention, and encryption of non-public  information.
  • March 1, 2019: With the end of two-year transition,  organizations must comply with all the requirements of the law.

If you’re in  the financial services sector and do business in New York State, you still have  time to file a Notice of Exemption, required by a section of the law, until  October 30, 2017. It is likely that laws like this might start popping up in  other states, using this law as a benchmark, so it’s important to stay on the  alert.

Podcast: Why Cyber Security Matters to the Network Operator promo

How Ciena Can Help

In today’s world  of ever increasing threats, data security can be a daunting and high-stakes  undertaking. Inevitably, vulnerabilities will continue to exist, and so will  the threat of a data breach. Ciena’s WaveLogic Encryption solutions can be deployed as part of  a holistic security strategy to help minimize your attack surface and ensure  compliance with data protection laws like the GDPR and the 23 NYCRR Part 500. Our  easy-to-deploy encryption solutions provide piece of mind with 24/7 in-flight  data protection between data centers, financial institutions, or other  locations, ensuring the safety of personal data no matter where it is, anywhere  in between.

Large play button overlay
Hacking an optical fiber line in minutes
Large play button overlay