Kroll Fraud Solutions Blog – A Dialogue on Data Security

On January 25, 2012, the European Commission (EC) released its final draft of a regulation that would replace the current EU Data Protection Directive.  The regulation includes a data security section requiring organizations to implement appropriate technological and organizational measures to protect personal data.  Specific guidance on the type of measures and criteria for when these measures are appropriate is left to future delegated acts of the EC.  So it remains to be seen what type of data security requirements may be adopted for various industries and circumstances.

The Canadian Parliament is again considering a requirement for organizations in Canada to notify individuals and the Office of the Privacy Commissioner of Canada in the event of a data breach. Under proposed amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations would be required to notify the Commissioner when there is a “material breach.” The bill does not define this term, but states that relevant factors for consideration of whether a breach is material include:

• The sensitivity of the breached personal data;
• The number of individuals affected by the breach; and

In December, the much anticipated draft of recommended reforms to the EU Data Protection Directive was released into inter-service consultation. The draft came in the form of two documents outlining recommendations for proposed regulations, one covering government entities and the other covering private businesses.

The proposed regulations for private business would repeal the EU Data Protection Directive and lay out requirements for the protection of personal information via the regulation. By using a regulation to mandate data protection standards, the EU avoids each nation having to enact its own law to put the standards into effect. This eliminates the variation that can occur from nation to nation and has caused headaches for multi-national companies under the existing directive.

While state data breach notice laws have been around for several years now, publicly traded companies are facing a new dimension to their cyber security obligations. Recent Securities and Exchange Commission (SEC) guidance specifically calls out cyber security risks and requires publicly traded companies to consider the risk of cyber incidents under their existing disclosure obligations. The guidance is not a binding regulation, but will likely be the standard by which the SEC and certainly plaintiff’s lawyers measure a company’s compliance.

It’s the start of a New Year, and time for Kroll to ask the perennial questions– what are your data security resolutions? Any plans to evaluate your security position? Put resources to risk management? Perhaps, like many organizations, you’re waiting to see how the compliance landscape shapes up for the coming year?

If you’ve got the last one in mind, you’re in luck. We’re devoting January to a run down on some recent developments, proposals, and guidance that have been issued here and abroad. When we released our 2012 cyber security trends list in December, we specifically mentioned the fact that we believe breach notification laws will be gaining traction globally, even if a federal law stalls here in the U.S.