What kinds of regulatory schemes are being implemented across the world, and how do they intersect, complement or even contradict one another? What we can learn from GDPR and how would these regulations affect cyber claims?
A panel discussion at the NetDiligence Cyber Risk Summit in Santa Monica from October 1-3 concluded that companies unable to clear up their “toxic legacy” of privacy issues will suffer as regulatory regimes increasingly protect the rights of the individual. With the European Union’s GDPR as the primary driver, many countries are “cherry-picking” aspects of the regulation to create their own legislation.
Hans Allnutt from DAC Beachcroft covered EU’s General Data Protection Regulation (GDPR) — the talk of the insurance world in 2018, Alex Cameron from Fasken covered Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and Joshua Pyle from CyberCube covered the regulatory landscape in APAC, focusing on Australia, Singapore, mainland China, and South Korea.
“In recent years, judges, legislators, and regulators across the EU have recognized the need to protect rights of privacy in the modern era and redress the balance in favor of the individual. This has resulted in a rise in compensation claims and regulatory sanctions against organizations that infringe privacy rights or suffer a data security breach,” noted the latest DAC Beachcroft insight report, “It is clear that as we emerge out of the oil boom of the Big Data age, those organizations that are not prepared to deal with its toxic legacy will be hit hard.”
One of the more notable provisions of the GDPR is Article 33, which dictates, “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it.” “We no longer have the luxury of time, the clock is ticking,” said one of the speakers.
Legislation outside of the EU is currently very much “GDPR inspired” but still differs by country across a handful of dimensions, including what data is in play, the threshold for determining mandatory notification, who must be notified, how regulators and affected individuals must be notified, timelines for notification, and financial fines and penalties in the event of non-compliance.
Notable developments across the world as they pertain to regulation, are focused on the data regulation space but occasionally more broadly focused on cybersecurity.
Within APAC, we have seen movement across most countries in the region; some introduced entirely new legislation/regulation, while some built upon laws from years ago (i.e. Australia from 1988).
“While we have yet to see the full implications of the much-anticipated GDPR rollout, we already see a number of countries cherry-picking aspects to carry over into their own legislation.” Joshua Pyle from CyberCube commented.
Joshua further added, “The play-out of early stage regulation, and regulation still pending feedback, will be influential in shaping this space over the coming years. A particular focus will be placed on locations like China and India, where populations and increased data volume will ensure data protection remains a hot topic.”
The discussion was followed by a multi-jurisdictional case study to examine how each region would respond (which laws and how, etc.) in the event of a data breach/exfiltration and what costs are triggered in such a scenario.
There is enough happening in this space such that we could have the same discussion in one year with entirely different talking points. There are notable outstanding cases (i.e. Facebook) that will involve influential court decisions and prompt additional class actions/give rise to new levels of litigiousness, and emerging regulations post-GDPR era will continue to shape the international regulatory landscape in the near future.
Nevertheless, to say, the time is here.