The European Union has been battling for 18 months to make changes to the continent's data laws, which have remain unchanged since 1995. Ahead of today's Data Privacy Day, EU Justice Commissioner Viviane Reding once again called for the EU Data Protection Reform, which could see businesses lose as much as 5 percent of annual revenue – or up to €100 million (approximately £82.2 million) – in the event of a data breach.
“Two years ago, on 25 January 2012, a great debate began in Europe,” said Reding in a prepared statement. “A debate about data protection in a world of total connectivity; about privacy in a world where data flows across borders as easily as the air we breathe; about the future of the digital economy.”
“9 months ago, the debate took an unexpected turn. The first stories about PRISM were published. Since then, headlines have been dominated by stories about government surveillance. In my dialogues with citizens across the Union, the sense of shock was palpable. We have learned that the times of mass surveillance are not relegated to the past.
“Data collection by companies and surveillance by governments. These issues are connected, not separate. The surveillance revelations involve companies whose services we all use on a daily basis. Backdoors have been built, encryption has been weakened. Concerns about government surveillance drive consumers away from digital services.
"From a citizen's perspective, the underlying issue is the same in both cases. Data should not be kept simply because storage is cheap. Data should not be processed simply because algorithms are refined. Safeguards should apply and citizens should have rights.”
The pan-Euro reform, a topic of debate at the recent International Cybersecurity Forum, has been subject to plenty of criticism in recent months, with many blaming vague terminology and various legal loopholes. A recent ICO study also revealed a lack of IT understanding around the changes.
For Reding though, she says that change is imminent. “Discussions are mature. The text is ready. It is just a matter of political will.”
Any changes will see the statutory 1995 Directive replaced with a single regulation, which is expected to be fully-ratified by 2015, which will be applicable to all 28 EU member states.
The law requires companies notify the appropriate authorities within 24 hours of a breach, and also demands that firms do not share European citizen data with authorities of another country, unless explicitly allowed by EU law or international treaty. From the citizen's perspective, the law – which still needs approval -- will give them easier access to service provider data, as well as the ‘right to be forgotten'.
Sam Maccherola, general manager of the EMEA/APAC at Guidance Software – which has trained more than 50,000 cyber investigators, told SCMagazineUK.com that the law may be of limited value to businesses.
“Businesses now recognise breaches and rogue employees to be inevitable. Increasing fines and notification requirements over the coming months are a stimulus to better stewardship of data - and when the inevitable happens, preparedness to detect, triage, remediate and report. But even without the demands of forthcoming European law, and the enforcement of a harmonised regime, CIOs and CEOs already know that a data breach could cost them a substantial proportion of turnover,” said Maccherola.
“As a major UK retailer I wouldn't wait for compliance to tell me to protect my customers and my brand: I'd be doing it now.”
Christian Toon, head of information risk at storage and information management solution provider Iron Mountain added that most companies are unlikely to tighten security policies and data protection guidelines, however steep the fine.
“Despite the fact that this is a huge and potentially devastating sum of money, it remains unlikely that the threat will encourage firms to tighten their security policies and overhaul their data protection guidelines,” Toon told SCMagazineUK.com.
“This is not the first time this 5 per cent penalty has been proposed; the past three years have witnessed much discussion in Brussels around the possibility of increasing fines and clamping down harder on firms that suffer a data breach. However, no concrete proposal has yet been put into effect. As a consequence, many firms are not taking sufficient steps to secure themselves against a data breach and few have shown any real commitment to building a company-wide culture of information responsibility that is led from the top.”
The EU law reform has been heavily influenced by the leaks from former CIA contractor Edward Snowden, and these latest concerns were raised on Data Privacy Day, which is also today (28th January).
Martin Sugden, CEO of Boldon James, said that this latest initiative could change perceptions around data security.
"Awareness days are a great way to raise the profile of important issues that might otherwise go unnoticed and Data Privacy Day on 28th January is no different,” he told SCMagazineUK.com.
“Data Privacy Day is a great initiative to highlight and educate businesses on the importance of good data security practices, but the responsibility for educating staff will always remain firmly in the hands of the company. Technologies that empower users to take ownership of secure practices, such as data classification, will help organisations succeed where so many others have failed."