The GDPR and New York Department of Financial Services Data Protection Regulations Compliance-driven cybersecurity has arrived in Europe and the United States.

The GDPR and New York Department of Financial Services Data Protection Regulations

Compliance-driven cybersecurity has arrived in Europe and the United States.

 

The General Data Protection Regulation, or GDPR, is the European Union’s new data protection rule that comes with a broader set of mandates, stricter penalties, and applies beyond the bound-aries of Europe. The GDPR applies to any business that has personal data of EU data subjects no matter where in the world a business is based or systems are located.

In the U.S., the State of New York Department of Financial Services has implemented similar, but not identical, regulations that impose strict rules around breach notification, cybersecurity plan-ning, compliance verification and cybersecurity staffing.

The GDPR and NY DFS changes cybersecurity enforcement

A company does not need to be breached to be the subject to an enforcement action under the GDPR or NY DFS. Failing to comply is enough to trigger penalties.

 

On 25 May 2018, European Union regulators begin to enforce the GDPR. Enforcement of New York DFS 23 NYCRR Part 500 is already underway.

Under the GDPR, fines of up to 10 million EUR or 2 percent (2%) of an organization’s annual, global sales revenue – whichever is greater – can be assessed for failing to ensure security. Fines for more severe infractions, repeat infractions, or failing to comply with an order under the GDPR may result in fines up to 20 million EUR or four percent (4%) annual global sales.

Under DFS 23 NYCRR Part 500, companies that are attacked must notify DFS within 72 hours of any breach that could impact the business or its customers; maintain written cybersecurity plans, conduct annual penetration tests (in some cases) and twice-a-year vulnerability assessments. Compliance certifications are required to be filed each year with the Department.

The GDPR requires the appointment of a Data Protection Officer: the NY DFS requires the appointment of a Chief Information Security Officer.

A number of recent high profile cyberattacks are good examples of circumstances where the GDPR and/or NY DFS regulations could have led to enforcement actions if the breaches had occurred later in 2018:

Company Records Breached Basis for Action
Equifax Est 156+ million Failing to patch known flaws
Uber 57 million Failing to patch known flaws; failing to disclose breach; failing to notify
Under Armor /MyFitnessPal App Est 150 million Failing to ensure security
Saks 5th Ave / Lord & Taylor Est 5 million Failing to ensure security
Panera Bread Est. 37 million Failing to patch known flaws; failing to notify
Delta Air Lines / Sears / Best Buy Unknown Failing to ensure security

In the case of Equifax, it is estimated the company would face the maximum GDPR fine based on 2016 revenue – of approximately $125 million dollars.