How new legislation is changing data protection requirements
Cyber security is on everyone’s minds these days—with high-profile hacks affecting Equifax and Whole Foods in the headlines in just the past few weeks. Coincidentally, October is National Cyber Security Awareness Month, a time to raise awareness of the importance of a holistic security program. So we thought it was a good time to take a look at a couple pieces of new legislation that aim to stem the tide of security breaches. If you do business in the EU or New York State, the legislation will be of keen interest to you.
In the EU, the European Parliament adopted the General Data Protection Regulation (GDPR) in 2016. The regulation will come into effect on May 25, 2018. The aim is to standardize data protection regulations across the EU. The GDPR applies to organizations that collect or process data from EU residents. What you may not realize, is that organizations based outside the EU also will have to conform if they collect or process “any information relating to an individual, whether it relates to his or her private, professional or public life.” That includes everything from relatively innocuous details to highly private information, including names, home addresses, photos, email addresses, bank details, social media posts, medical information, or an IP address.
Data protection legislation isn’t only evolving in the EU. In New York State, 23 NYCRR Part 500 became effective on March 1, 2017, with a two-year transitional period that ends on March 1, 2019. The law requires “Covered Entities” such as New York insurance companies, banks, and other regulated financial services institutions – including agencies and branches of non-US banks licensed in the state of New York – to assess their cyber security risk profile and create a robust program to addresses those risks. The 23 NYCRR Part 500 law places the burden on a company’s senior management, which must file an annual certification confirming compliance with the law.
Let’s take a closer look.
Preparation and debate on GDPR started in 2012. It was approved by the EU Parliament on April 14, 2016 and became law 20 days after it was published in the EU Official Journal. That started the enforcement countdown clock. When the law goes into effect on May 25, 2018, organizations that do not comply will risk significant fines in the event of a data breach.
With 28 member states, the EU had an array of country-specific data protection regulations. The GDPR standardizes data protection regulations across all member states. For clarity, the United Kingdom will still be a full Member State of the EU when the GDPR comes into force, and indications are that it will mirror the GDPR in national legislation after Brexit.
For clarity, the United Kingdom will still be a full Member State of the EU when the GDPR comes into force, and indications are that it will mirror the GDPR in national legislation after Brexit.
Here is a summary of some important notes about the new GDPR law:
- Companies must take adequate technical and organizational measures to protect data.
- Companies will have to notify authorities within 72 hours of discovering a personal data breach if the breach is likely to cause harm to the people affected. In serious cases, companies must notify every person whose data was compromised.
- Under current data protection laws, the maximum fine for a personal data breach is capped at five hundred thousand Euro (€500,000). The GDPR will substantially increase these fines to a new maximum penalty of ten million Euro (€10,000,000) - or two percent (2%) of total worldwide annual turnover - whichever is the higher.
- The Netherlands is one of a few countries that have already put laws into place to reflect these new requirements. Its Dutch Personal Data Protection Act took effect on January 1, 2016.
- Companies based outside of the EU that provide goods and services into the EU will also have to comply with the GDPR.
23 NYCRR Part 500
In New York State, new cybersecurity requirements for financial services companies, known as 23 NYCRR Part 500, will take effect in stages, starting on August 28, 2017. The aim of this new legislation is to protect consumers and to “ensure the safety and soundness of the institution” as well as New York State’s financial services sector. Other parts of the law take effect over the next year and a half, as follows:
- February 15, 2018: Deadline for submission of the first certification under 23 NYCRR 500.17(b), which requires an organization notify the superintendent of financial services of any cybersecurity event within 72 hours.
- March 1, 2018: This marks the end of the one year transition. As of this date, organizations will have to be in compliance with sections of the law that cover reporting, pen testing and vulnerability assessments, risk assessments, multi-factor authentication, and training and monitoring.
- September 3, 2018: At the 18-month mark, organizations must comply with the requirements of sections that cover audit trails, application security, data retention, and encryption of non-public information.
- March 1, 2019: With the end of two-year transition, organizations must comply with all the requirements of the law.
If you’re in the financial services sector and do business in New York State, you still have time to file a Notice of Exemption, required by a section of the law, until October 30, 2017. It is likely that laws like this might start popping up in other states, using this law as a benchmark, so it’s important to stay on the alert.
How Ciena Can Help
In today’s world of ever increasing threats, data security can be a daunting and high-stakes undertaking. Inevitably, vulnerabilities will continue to exist, and so will the threat of a data breach. Ciena’s WaveLogic Encryption solutions can be deployed as part of a holistic security strategy to help minimize your attack surface and ensure compliance with data protection laws like the GDPR and the 23 NYCRR Part 500. Our easy-to-deploy encryption solutions provide piece of mind with 24/7 in-flight data protection between data centers, financial institutions, or other locations, ensuring the safety of personal data no matter where it is, anywhere in between.