Is breach mitigation the next wave of cybersecurity regulation?

Thompson Coburn LLP

Thompson Coburn LLP

More and more, regulators are focusing their rulemaking power not just on how a company responds (or doesn’t respond) to a data breach, but the steps it took far in advance to prevent or mitigate such a breach. 

Two new sets of regulations — the European Union’s General Data Protection Regulation (EU GDPR) and a stringent new cybersecurity regulation from the New York Department of Financial Services — fall into this breach mitigation category, and are catching the eye of all companies that collect, store or process customer data. 

For an in-depth overview of these regulations and this recent shift to pre-breach mitigation requirements, join us Tuesday, Feb. 21, for a free webinar hosted by Advisen. The webinar, “The Next Wave of Cyber Regulation” will feature up-to-the-minute commentary and analysis on the effects of these upcoming regulations and the likelihood of more in the future. 

General Data Protection Regulation (EU GDPR)

The EU GDPR looms large for any firms or companies that handle the data of European customers. The measure, which goes into effect on May 25, 2018, will apply to any entity that captures or processes the data of EU data subjects — even if in relation to a free good or service. 

This will be an entirely new area of risk for many U.S.-based entities, one that imposes significat accountability requirements and carries the threat of serious fines —  up to €20 million or four percent of global turnover for the preceding financial year, whichever is greater. 

One key element of the EU GDPR is the requirement, in certain circumstances, for firms to designate a data protection officer (DPO). This position, which must be in place by the law’s effective date, can be either an employee with a significant level of expertise or a contractor. Some in the industry are already worrying about the limited talent pool for this key position, and the importance of early recruitment so the DPO can guide an organization through preparations for the GDPR’s quickly approaching effective date. 

New York cyber regulation for banks, insurers

New York’s new regulatory scheme becomes effective in just a few weeks, March 1, 2017, and applies to any banks, insurers and financial institutions regulated by the state’s Department of Financial Services. 

This first-of-its-kind regulation requires affected companies and firms to create and maintain a detailed cybersecurity policy and program. The requirements of that program match many of the standard elements for any well-established private cybersecurity policy, such as implementing penetrative testing and vulnerability assessments, providing personnel training, and limiting access privileges. But this is the first time a state agency has required a written cybersecurity protocol from such a wide range of entities.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thompson Coburn LLP | Attorney Advertising

Written by:

Thompson Coburn LLP

Thompson Coburn LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.