It appears that hackers don’t take the summer off. From the U.S. Office of Personnel Management to online dating site Ashley Madison, cybercriminals have been proving that they will go after just about any sort of target that holds people’s personal data.
At the same time, regulators have been trying to fight back—particularly in the European Union, where new rules on data protection are emerging that may be finalized as early as the end of this year. Although these regulations are European, many U.S. companies that do business in the EU and work with customers and employees there will still have to worry about complying.
Given the one-two punch of increasing cyberattacks and impending regulatory changes, now might be a good time for companies to take a hard look at the way they process and protect their data. “Most companies nowadays are going above and beyond anything that’s out there right now and looking forward to the future,” Kristoph Gustovich, director of hosting and security at Mitratech, told CorpCounsel.com. “They’re always looking to meet what’s going to be the next stage of regulations.”
One major action that companies should be taking in anticipation of regulatory changes from Europe, according to the white paper, is ensuring that they’ve taken account of how new rules will redefine their roles in data protection activities. Many companies that managed to avoid a certain amount of responsibility for their customer data by being labeled “data processors” will have the same amount of responsibility as “data controllers” under new regulations. This leveling means that some companies will have to toughen their security stance when it comes to dealing with customers’ personal data.
It’s not just the roles of some companies that are changing, however. Roles of individuals within the companies also have to evolve to meet heightened legal and security needs. The new EU regulations, for example, may require companies with a certain number of employees and a certain amount of data to appoint a data protection officer from either inside or outside the company. This person will be responsible for making sure the company complies with privacy requirements.
General counsel are also seeing their roles evolve as breach risks rise and regulatory risks grow. "The laws are always going to change, and unless you have a general counsel involved to understand that, to present that to the technologist in a way that they can understand, there’s no way the technologist will be able to understand all the nuance,” said Gustovich. He also warned of putting cybersecurity responsibilities in silos—whether they are IT’s or legal’s. In his experience, he noted, that approach is doomed to fail.
One of the most important jobs in-house counsel have for cybersecurity is ensuring that the company’s contracts are compliant with data security laws. The white paper identifies use of contract language as an area where companies covered by new European regulations will probably have to make substantial changes.
The new rules will likely require that companies tell users and customers, in the company’s contracts, what data of theirs the firm will use and how it will use the information. Then, they must get the users to “opt in.” In contrast, a good number of U.S. companies have customers opt in to data collection by default, and insist that they explicitly “opt out.”
Another contractual issue the white paper addresses is the need for very specific language in user contracts. It explains that blanket contract terms will no longer cut it, in terms of compliance with emerging data security laws. And if a company intends to conduct data mining, this has to be made contractually clear to customers and users.
For companies, it’s essential to stay ahead of the curve on the increasingly difficult security environment and on the new European regulations, which may very well set the pace for other future data privacy rules in the U.S. and abroad, said Gustovich. He pointed out that when budgets and contracts need to be adjusted, companies shouldn’t wait to get started—even if the EU gives the two-year lead time between finalization and implementation that it has indicated it will give. Adjusting to serious regulatory changes takes time and planning. “It will come up much faster than people expect,” Gustovich warned.