In-brief: Like it or not, U.S. companies will be expected to comply with strict new European breach notification laws. The good news: responding to breaches in this new regulatory environment just takes a little preparation, says Michael Bruemmer of Experian.
It’s no secret that the economy has continued to globalize as more and more companies expand their operations across national borders. Undoubtedly this expanded marketplace has brought increased profits to company’s worldwide, but it also brings increases in international security incidents, and as a result, new security regulations and mandates.
In fact, there were 38 percent more security incidents detected in 2015 compared to 2014, according to a survey by PwC. International breaches are no exception, and are consistently gracing our headlines, with this year’s well-known breaches such as Myspace, Twitter and LinkedIn being but a few examples. The rise in international breaches has left many wondering what this will mean for the global economy, and also what they can do to minimize the negative effects of breach on their business.
U.S. companies have certainly had a head start, as many are already accustomed to preparing for the realities of a data breach due to the state and federal regulations that have required U.S. based companies to get serious about data breach preparedness and consumer notification. As countries world-wide begin to introduce their own regulations regarding data breaches, executives both domestic and abroad are grappling with the impacts of these new regulations.
The largest of these new global regulations is certainly Europe’s adoption of General Data Protection Regulation (GDPR). The GDPR will require European companies to notify the authorities within 72 hours of confirming a breach, which will undoubtedly influence many to also notify effected individuals as the breach may go public. This is causing all European companies to seriously rethink their approach to breach response, or else face the significant regulatory action and fines, as well as loss of reputation.
Of course, U.S. companies are not off the hook. Any U.S. company operating overseas must comply with any local breach law if an incident impacts an individual who is a citizen of another country – including the new GDPR. This means U.S. based companies must prepare for the new regulations as well, making sure they understand the legal and regulatory framework of every country in which they operate. Particularly important are the regulations of how and when companies must notify the authorities as well as those impacted by a breach, as these vary widely from country to country.
Furthermore, companies need to be cognizant of remedy offerings and preferences, country to country. These elements need to be incorporated into breach response plans as well, in order to account for the increased complexity that comes with handling an international incident. This includes plans for managing translations and notification mailings, as well as coordination across offices in different geographies.
The good news? With a little preparation both U.S. and foreign-based companies can prepare to effectively and efficiently handle security incidents. It’s a simple formula really – create a data breach response plan, practice the plan, and make sure there’s a delegate in each market of operation to help execute the plan. Working with data breach response experts to create your data breach response plan will go a long way, as the details and best practices that go into effective plans can be complex.
Companies will also highly benefit from identifying a legal partner in advance in each market to help manage the disclosure to the local regulator and ensure compliance with local regulations. It is paramount to work with local legal experts when it comes to breach response, especially as regulations continue to change and evolve internationally. Having boots on the ground in all of your international markets can save a lot of time, as well as protect your business from making legal mistakes.
While data breaches are certainly here to stay, if not increase in the international business climate, companies can decrease the impact of these incidents with some good old fashion planning – the sooner, the better. Developing a comprehensive plan takes time and attention to detail, but in the long run, being thorough will only save your company from reputational and financial damage, here and abroad.
Michael Bruemmer, CHC, CIPP/US, is Vice President with the Experian® Data Breach Resolution group.