CYBERSECURITY REGULATION: A VIEW FROM THE U.S.

By James Bindseil, President and CEO of Globalscape

As an American company advising and working with clients worldwide, we have the chance to see how companies trading across the Atlantic are dealing with new compliance laws as a result of recent European legislation. One of the biggest regulatory issues facing U.S. businesses in 2016 is the effects of the European Court of Justice’s invalidation of Safe Harbor —the legal provision under which the cross-border transfer of personal data from the EU to the U.S. was deemed compliant with European privacy law.

The loss of Safe Harbor – and the pending language being finalized around the EU-U.S. Privacy Shield – has been a major headache for American companies that do business in Europe, requiring the movement of data between the U.S. and Europe. Until the new agreement rules have been finalized, individual companies should make provisions through a Model Contract clause or Binding Corporate Rules with each country’s data protection authority, or figure out workarounds that keep data from crossing international borders.

At the same time though, U.S. companies are facing another significant regulatory concern, which has potentially more ominous implications: fallout from the Federal Trade Commission’s win in its case against Wyndham Worldwide Corporation, the hotel and resort management company. It was the first case of a Government regulatory body taking an organisation to court over a failure to protect data and acts as a warning to businesses on both sides of the Atlantic.

By ruling in favor of the FTC, which sued Wyndham under its regulatory authority for conducting unfair and deceptive business practices (making it easy for cybercriminals to steal customer data), the courts set a precedent that gives greater enforcement power to the FTC in cases where consumers’ personally identifiable information (PII) is compromised. The FTC’s action came after a series of data breaches that the commission argued affected Wyndham because of the company’s failure to provide proper protection and management of sensitive customer data.

Most people agree that the Wyndham decision will result in an emboldened FTC taking a more activist posture with regard to cybersecurity. It is a pattern we’re seeing globally. States and federal bodies are looking to introduce regulation to better protect their citizens’ data. Just in the latter part of 2015, we saw the first draft of the pan-European General Data Protection Regulation (GDPR), governing the use and privacy of EU citizens’ data and the Data Protection Directive, governing the use of citizens’ data by law enforcement.

Continued rulings and regulation by leaders will result in enterprises on both sides of the Atlantic investing in state-of-the-art data protection, including technology investments and governance policies.

Consequently, the most logical next step for state-of-the-art cybersecurity will be founded on the principles of the PPT model: People, Process and Technologies. PPT involves constant review and update of best practices weighed against changes to regulatory compliance. A good example of this model would be the programs established under the requirements of Massachusetts’ data protection law 201 CMR 17, which establishes a baseline for protecting that data in order to mitigate the chance of a data breach in the first place. In the UK, the Department for Business Innovation and Skills 10 steps to cybersecurity is a great first step to encourage organisations to follow the PPT model. Whether this becomes regulation is up to the politicians, but it continues to provide a useful guide for organisations to follow to ensure they are fully compliant with the increasingly complex regulatory space.