GDPR: A New Data Breach Regulation
Data breaches have been occurring at an alarming frequency. Each one has the potential to put thousands if not millions of customers at risk for identity theft, while the companies involved also face reputational damage and financial loss. The European Union is responding to this threat with the General Data Protection Regulation (GDPR), which will impact companies around the world.
The Rise of Data Breaches
According to the Identity Theft Resource Center, data breaches are increasing. In 2017, a record number of 1,579 breaches were reported. Almost 20 percent of these breaches exposed credit card and debit card information, and more than half of them exposed Social Security Numbers.
Many of these breaches have been big enough to make headlines.
- The Equifax data breach exposed the personal information of more than 147 million individuals. Reuters reports that it could be the most expensive breach in corporate history, and Equifax expects $439 million in costs related to the breach.
- Uber suffered a data breach that exposed the information in 57 million accounts. Wired reports that the company reportedly paid $100,000 to the hackers to keep the incident quiet. The company is facing multiple lawsuits over its failure to notify those affected of the breach.
The General Data Protection Regulation
Data breaches are clearly a serious issue that needs to be addressed. The European Union is aiming to do that with the GDPR. Enforcement of the new regulation begins May 25, 2018, and organizations that fail to comply will be subject to heavy fines of up to 4 percent of annual global turnover or 20 million euros.
The GDPR expands the previous regulations in multiple ways. Among other things, it requires clear consent for data collection and timely notification of any breaches. It also expands the right to access, which includes the right to know how personal data is being used.
The GDPR applies to organization located outside of the European Union if they provide goods or services to customers in the European Union, monitor the behavior of European Union subjects or process and hold the personal data of anyone in the European Union.
How Businesses Can Protect Themselves
Companies need to comply with the laws where they operate, including the European Union’s GDPR and any breach notification laws in the United States.
The best way to avoid trouble is to prevent breaches from happening in the first place.
- Update systems regularly. Systems that have not been updated may contain vulnerabilities that hackers can exploit.
- Use antivirus and firewall software and keep it updated.
- Train all employees on cybersecurity, including how to avoid computer viruses.
- Use encryption to protect data.
If you sell goods and services internationally, take steps now to comply with GDPR requirements. Strong security measures can make a breach less likely, but hackers are always using new tactics to try to stay one step ahead of their victims. Also, if you haven’t already done so, ask your broker if you should have cyber liability insurance.
About the Authors:
Mark Davidson, CIC, CAWC, CISC is an Assistant Vice President of Heffernan Insurance Brokers, one of the nation’s largest independent insurance brokerage firms. Davidson’s specialty is structuring industry-specific insurance programs for niches such as food manufacturing, technology, construction, real estate, law firms and non-profits. He can be reached at 650.842.5212 or at email@example.com.
Pete Picetti, CIC, is a Senior Vice President at Heffernan Insurance Brokers, one of the nation’s largest independent insurance brokerage firms. He can be reached at (415) 808-1344 or firstname.lastname@example.org.