Today’s post comes courtesy of Steve Haase, president of cyber liability wholesaler INSUREtrust
For American businesses, cyber regulations in foreign countries can be new and confusing territory. Yet they have a significant impact on global enterprise, especially in constructing contractual relationships. We highlight below some key regulations in parts of Europe and North America where US firms have a major presence.
The euro zone is establishing minimum levels of compliance in legislation in every member country through the Data Protection Directive, which goes into effect in 2014. Requirements include: (1) Appointment of a dedicated data protection officer for companies with over 250 employees. (2) Notification of a breach to authorities within 24 hours. (3) Financial penalties up to 2% of the gross worldwide revenue of any organization found to be in violation.
Under the directive, each E.U. country must have or implement protections that meet the standards of the DPD.
According to the 1978 personal data protection law, the French protection authority known as CNIL can impose fines for lax data protection controls by businesses. Fines can reach €150,000 for first time breaches and €300,000 for repeat breaches within five years. France has enacted whistle-blower programs that are compliant with Sarbanes-Oxley and the CNIL maintains the right to inspect organizations that seek to transfer data out of the country to avoid the strict French protection laws.
Regional Data Protection Acts make up a federal German data protection network. Corporate information controllers must notify their regional authority when there are any concerns of data security. Regional authorities can impose fines of up to €300,000. The DPAs also support whistle-blower hotlines for reporting data mismanagement. In addition to the DPAs, data is protected by the German Telecommunications Act and the German Telemedia Act.
The Data Protection Act of 1998 is implemented through the Information Commissioner’s Office, which can impose fines up to £500,000. A second U.K. entity called the Financial Services Authority regulates banks, insurance companies, insurance brokers, and other financial services firms. This organization takes a strict view of data protection controls, including the use of encryption and secured storage of all back up files. The FSA can levy fines or even revoke a business’ commercial status.
Data protection in the Americas outside the United States has generally lagged behind Europe. Protections are increasing, but are still in the building stages.
The nation’s privacy protection statute, the Personal Information Protection and Electronic Documents Act (PIPEDA), was first approved in 2000 and updated in 2011. It provides for accountability both in the use and safeguarding of electronic data. Large corporations, including State Farm Insurance, TransUnion of Canada, and Air Canada, have been involved in court cases under these protections.
PIPEDA affords a framework for individual provinces to establish privacy protections. In 2004, Alberta became the first province to enact its own privacy legislation, applicable to businesses across all sectors of the economy. Among other items, it puts in place specific breach notification actions and timelines.
Since Alberta, the provinces of British Columbia and Ontario have approved similar legislation governing commercial and/or health data. Still, the seven other provinces have yet to enact their own cyber laws.
In 2010, the Mexican Senate approved legislation governing how public and private companies collect, use, and disclose personal data. As of December 2011, the IFAI, Mexico’s data protection authority, began expanding governance, including breach notification requirements, restrictions on cloud computing, regulation of data transfer to third parties, and clarification of the rights of those whose data is being collected.
U.S. businesses that engage in international commerce need to be aware of data protection legislation. Companies that are vendors for foreign businesses or that have foreign contracts or international process outsourcing may be surprised that local laws apply to their digital property. They need to learn whether:
- Protections apply to data belonging to local citizens only or citizens anywhere;
- There are strict time limits for breach notification;
- Trans-border data transfers are regulated;
- Data collection requires signed agreement from data owners.
Cyber insurance programs are available through a number of insurers that issue foreign local policies as well as U.S. policies that respond to lawsuits worldwide.
About the Author
Steve Haase, president of INSUREtrust, has 25 years of experience in risk management and insurance and B.A. and M.S. degrees in risk management and insurance from Georgia State University. He also holds CPCU and ARM designations. He is a frequent speaker at industry events on e-business risk management. In 1997 he launched the first insurance product focused on “breach of security” exposures for companies doing business over the Internet. This initiative eventually became INSUREtrust LLC, a leading cyber liability wholesaler in Norcross, Ga.