With fines of up to 100 million Euros it isn’t difficult to see why the passing of the proposed Network & Information Security (“NIS”) Directive (commonly known as the “Cyber security Directive”) by the European Parliament has got businesses sweating. The recent high profile breach of Morrison’s employee payment data demonstrates that there is need for tighter and more effective data regulation. However at what price does the cost of data protection become unacceptable and who should bear these costs?
The Directive’s aim is to strengthen the European Unions resistance to cyber-security threats and to promote reporting of data breaches. The passing of the Directive legitimises the view that the EU perceives data protection as a fundamental right. The full details of the Directive can be found here. It must be stressed that this new directive will not affect all businesses; its remit covers any business deemed to be a part of the critical supply chain, or a major technology service provider. This though is just the starting point, as data collection and transfer becomes more commonplace, it will not be long before stringent regulations are extended further.
Those businesses that will come under the Directive will face a number of concerns. Chief among them is cost, though equally concerning is the proposal to impose a duty to report significant breaches to a national authority. They fear that by being forced to disclose a breach they will open themselves up to investigation by a regulator and/or ridicule by the press. One only needs to assess the media’s reaction to the aforementioned Morrisons data leak for an example of the media frenzy it can cause.
The cost of fully implementing the new Directive though will be high, and this will be shouldered primarily by businesses. As Stephen Wares, Marsh’s Cyber Liability Practice Leader for Europe, the Middle East and Africa (EMEA), explains ‘The cost to business of implementing the changes required to comply with this piece of regulation may be significant, but the cost of failing to comply could be far greater.’ By imposing an increased duty upon companies to upgrade and enhance their data protection and data management procedures companies will now have to invest a great deal or face the consequences.
The high costs referred to are the fines of up to 100 million Euros or 5% of a company’s global turnover, whichever is the greater. As such insurance companies are rapidly assessing the risks involved were they to offer cover that could potentially be affected by the new Directive. It is clear that there is a strong will from the EU to give national regulators increased powers, with the suggested fining structure acting as an effective deterrent for non-compliance.
Regardless of the cost this move highlights the importance that data storage and management has acquired in recent years. With the value of many recently formed online companies, most notably Facebook, residing in its vast servers of user data; should we be surprised that legislation seeking to protect it is now being brought into place?
In conclusion though it could be suggested that businesses are still yet to appreciate the importance of data and the central role it is soon to play in modern business. As more and more of our details and personal information are collected and stored, the effort to steal and abuse that information will also increase. Again a recent example of this being the recent hacking and devaluing of the Bitcoin currency, that at is heart was a data currency. Hackers saw the high value and sought to take advantage. Businesses may want to therefore, for once, get ahead of the curve and begin protecting and managing their data in a way that shows deference to its potential future value.
Though they will have a little while to consider their options as even if the Directive is successfully passed, it will not be implemented until 2016 at the earliest.
If you are concerned about what these new provisions may mean for you or your business please don’t hesitate to contact Virtuoso Legal on 0844 800 8871 or email firstname.lastname@example.org