The new data-protection regulations announced by Viviane Reding, EU Justice Commissioner will affect every company and organisation both in the European Union and across the world.
When these regulations come into force, for the first time companies will need to show proof of compliance and that means having in place an effective reporting process that demonstrates in detail the network security and data protection methods in action.
This move to mandatory reporting and full compliance means that companies can face substantial fines and other sanctions if data breaches occur and they will have only 24 hours to act. And they face big fines.
The aim is to harmonise the patchwork of data protection laws imposed across the EU’s 27 countries. But, although the overt focus is on the rights and protection of individuals online, the proposed changes will require companies to disclose all data breaches within 24 hours or face substantial fines and other sanctions.
Further, they will require companies to show proof of compliance in the wake of a breach. That will require companies to establish an effective reporting process that demonstrates network security and data protection methods were in place when a breach occurred.
The proliferation of data privacy regulations in Europe and elsewhere is making protection of consumer data on endpoints and servers a strategic priority.
The problem is that most companies in the UK and the Continent still rely on data protection policies and technologies that are as dated as Europe’s 16-year-old regulations. The new policies will officially set the clock ticking on the need for companies to review and upgrade their security, compliance and reporting processes – or else face the danger of being caught by these new, stronger regulations.
Only recently in the UK, a NHS hospital trust was told it faced a fine of £350,000 ($546,000) after hard drives containing patient data were stolen and sold on auction website eBay. The fine is nearly three times the previous record.
The most compelling point of this story is that the Trust had removed the 232 drives from PCs and was to have them decommissioned when the theft occurred, with four ending up on the auction site. By using more secure storage device, for example a self-encrypting drive, any organisation can ensure no data is accessed at any point and the cost of decommissioning is incredibly simple and cheap.
Companies – and indeed all organisations – need to review their security, compliance and reporting process now to avoid the danger of being caught by these new, stronger regulations. To meet the new threat landscape, companies would be well advised to consider implementing hardware security built on the Trusted Computing Group standards – the Trusted Platform Module (TPM) and Self Encrypting Drive (SED) built on open industry standards.
This framework provides the superior defence and assurances that a company has the means to address compliance issues, deliver the best reporting and protect itself in the more robust regulatory environment over the coming years.
It is not only in Europe that the regulatory environment is becoming tougher. The US Securities and Exchange Commission (SEC) has recently issued strong guidelines around data breach reporting, while admitting a defence breach of its own network. It is time for all companies and organisations to fully review security and reporting strategies so they can operate in a much tougher regulatory environment.