The legal landscape on cybersecurity is changing with stiffer fines for breaches on the way, says expert

Out-Law Analysis | 16 Feb 2017 | 12:18 pm | 2 min. read

ANALYSIS: Organisations face stiffer obligations on the security measures they must put in place to prevent their systems and data being compromised as well as new duties to disclose major incidents or breaches they experience.

Tough financial penalties await businesses that fail to meet the new requirements.

Having looked at the 10 things you always wanted to know about cybersecurity but were afraid to ask, we will share our findings in a themed series. We previously looked at which people are typically behind cybersecurity breaches and the methods they use, as well as what the common vulnerabilities are and what good IT security looks like. Here were look at how the legal landscape and regulatory fines are changing on the issue of cybersecurity.

Major legal reforms forthcoming

There are two big pieces of EU legislation in particular that will deliver major changes to the way cybersecurity is currently addressed by regulation.

The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. The Network and Information Security (NIS) Directive, unlike the GDPR, is not directly applicable in EU countries, but member states must implement the Directive into national laws by 9 May 2018. The NIS Directive is relevant to many sectors where critical national infrastructure can be found, including the energy sector.

The two main things that the new legislation will deliver is increased transparency over data breaches and cybersecurity incidents and the risk of higher regulatory fines.

Notification

Most EU companies are not currently required to notify regulators or customers after a data breach, as opposed to the US, where 47 out of 50 states have mandatory notification laws.

Both the GDPR and the NIS Directive will increase the number of companies and sectors that will have to report breaches to their national regulator, and possibly to customers too.

Not all data breaches or cybersecurity incidents will have to be reported under the new rules. Thresholds for notification are set out in the legislation.

Where the threshold for notification is triggered under GDPR, data controllers will have 72 hours, where feasible, to report a data breach to data protection authorities.

Under the NIS Directive, major cybersecurity incidents must be notified to a member state's 'competent authority' or its 'computer security incident response team' (CSIRT) "without undue delay".

Fines

At the moment, the highest fine that organisations can be served for breaching the UK's Data Protection Act is £500,000. Under the GDPR the maximum penalty that could be imposed will be far larger. Fines could reach €20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

A tiered system of fines under GDPR is envisaged, so a lower cap will apply to some breaches of the new rules. The maximum amount of fine in the lower tier is €10m or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The NIS Directive is not as prescriptive on penalties. It states that EU countries are responsible for determining their own “effective, proportionate and dissuasive” penalties for infringement of the NIS rules.

It is not yet clear what penalties will be considered. Possible penalties could include fines, public naming of those in breach, and/or a requirement to rectify deficiencies identified with cybersecurity measures deployed.

Kristina Holt is a data protection law expert at Pinsent Masons, the law firm behind Out-Law.com.