New data protection laws will require better info security by companies, say researchers

Out-Law Analysis | 17 Sep 2015 | 5:18 pm | 4 min. read

FOCUS: Businesses can expect to have to implement stronger data security measures in future to comply with new EU data protection laws on the horizon.

That is the view of two researchers at Queen Mary University (QMU) of London's School of Law who have highlighted the likely raising of "security benchmarks" under the new data protection regime.

According to their paper, the rise in required standards could have implications for the way businesses facilitate customers' access to accounts, services and data.

Why can we expect data security compliance standards to increase?

EU law makers are currently in negotiations over the wording of a new General Data Protection Regulation. The proposed Regulation, once finalised and in force, will replace the current Data Protection Directive that has applied in the trading bloc since 1995.

Whilst EU legislators have yet to agree on the details of reforms, possible changes that businesses might have to accommodate include explicit requirements to consider and account for data protection needs when designing new products and services and to apply data protection settings to products and services by default in a way that ensures their compliance with the new Regulation.

The new rules envisaged on data protection by design and default would be in addition to broader data security requirements which will be set out in the new Regulation. The data security rules are likely to be similar to those stipulated under the Data Protection Directive, although MEPs have backed more prescriptive rules than are currently in place.

Current EU data protection laws require that data controllers must "implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing".

Precisely what security measures each company has to deploy to be compliant depends on a number of factors, including what security tools are available, how much they cost to implement, what type of data the organisations are responsible for and the level of risk inherent in processing that information.

However, according to QMU researchers Elizabeth Kennedy and Christopher Millard, the inclusion of new rules on data protection by design and default in the Regulation would be "likely [to] raise the overall 'base-level' for security measures" that organisations will need to deploy.

They said that although those rules would not impose a single data security compliance standard that all organisations would have to meet, they would probably drive up the expectations data protection authorities (DPAs) would have on data security.

According to Kennedy and Millard, "if the final text of the Regulation implements effectively the principle of data protection by default, this would probably mean that a high level of security settings should be pre-set on relevant products and services".

The implication of this could be widespread adoption of 'multi-factor authentication', they said.

What is multi-factor authentication?

To protect against fraud, meet compliance requirements on anti-money laundering and terrorist financing, or to simply ensure the confidentiality of account information, many businesses require customers to verify and validate their identity when logging into accounts, making transactions or otherwise seeking to access services.

According to the definition outlined in Kennedy and Millard's report, 'multi-factor authentication' refers to a range of possible solutions that businesses can deploy to obtain identity assurance. In short, the solutions require customers to provide at least two different types of credentials to verify their identity, from entering a username, password or PIN number, providing details of unique codes they are issued with, to providing data unique to them, such as in the form of a biometric fingerprint.

Consumers will be familiar with multi-factor authentication in a number of settings, notably in banking. For example, many banks require customers seeking to make a transaction to not only enter username ID and password information but to also enter one-time codes sent to their mobile devices that are linked with their accounts.

However, Kennedy and Millard hinted in their paper that this level of security could soon become the norm in other business sectors.

Predictions on multi-factor authentication post-reforms

The new General Data Protection Regulation is unlikely to stipulate a specific requirement for multi-factor authentication to be deployed, partly because the Regulation will promote technologically neutral data protection requirements, they said.

However, DPAs are likely to champion multi-factor authentication as a means for businesses to meet their data protection by default obligations in "voluntary codes of conduct and guidelines", the researchers said.

It is "unclear" as yet whether the Regulation, or implementing secondary legislation or guidelines under the new regime, will specifically outline whether businesses that deploy multi-factor authentication will be said to comply with the data security rules specifically, they said.

However, multi-factor authentication – in its many possible forms – might become common place even if it is "not mandated", the researchers said. This is because its adoption might be driven by "market behaviour", with this having a knock-on "impact on what constitutes an appropriate baseline for security".

"Many data processors and data controllers may offer it anyway if it becomes common market practice to do so," Kennedy and Millard said. "Particular impetus for adoption is likely to arise where use of multi-factor authentication becomes a customary security method in certain sectors or situations. In such circumstances it may appear that a data controller or data processor is out-of-step with the rest of the market place if it does not adopt multi-factor authentication."

In an environment where hackers pose an increasing threat to data security, businesses will perhaps be most rightly worried about the potential damage to their reputation that could arise from a data breach.

However, with reforms to the EU's data protection regime scheduled to be finalised before the end of 2015 and likely to bring about a far stiffer sanctions regime than currently applies, businesses will be keen for greater certainty from EU law makers and the watchdogs that will interpret and enforce the new General Data Protection Regulation. This includes on what measures they need to implement to meet the data security requirements, whether that means embedding multi-factor authentication or not.

The focus of Kennedy and Millard's report was on explaining "the legislative data security requirements and how multi-factor authentication may facilitate compliance with these obligations". They did not offer a view on the actual effectiveness of multi-factor authentication as a security measure.

Lucy Jenkinson is a data protection law expert at Pinsent Masons, the law firm behind