Report: EU may slap new GDPR Fines on Old Data Breaches

The European Union (EU) wants to send a clear message to companies that it’s serious about data privacy, suggesting it will still slap fines on data breaches that happen even before the EU General Data Protection Regulation (GDPR) takes effect in late May if companies don’t disclose them first.

Covering up data breaches in the EU that deal with sensitive customer or user data and occurred before May 25 could lead to a fine of up to 10 million euros or 2 percent of a company’s annual turnover, according to a published report citing comment by an anonymous EU official on the matter.

“If this behavior [of keeping a data breach secret] would continue–even if it started a long time ago and continues–and is discovered after the GDPR comes into play, then it’s relevant,” said the source, according to the report.

The official said that the EU plans to enforce the GDPR strictly after the May deadline, especially since it’s been public knowledge for more than a year, according to the report.

“If there is a breach discovered the day after, the GDPR will apply,” the official is quoted as saying. “I hope that every company dealing with our personal data takes the May deadline very, very seriously.”

[You might also want to read: “Taking the Long View of Breach Fallout]

Casting a wide net

Four years in the making, the GDPR—approved on April 14, 2016—is aimed at protecting the data privacy of citizens and enforcing corporate accountability for that privacy in the EU in an unprecedented way by imposing heavy fines on companies that don’t inform people of serious data breaches very soon after they happen.

The GDPR will require European companies to notify the authorities within 72 hours of confirming a breach–an action that should have the trickle effect of also informing individuals affected, as the breach likely will go public.

Companies that hide evidence of data breaches that occurred before the May 25 GDPR “go live” date could be penalized under the law.

The law is not limited to EU-based companies, either. Any U.S. company operating overseas must comply with any local breach law if an incident impacts an individual who is a citizen of another country.

This extends accountability to U.S.-based companies to understand the legal and regulatory framework of every country in which they operate. Of particular importance will be regulations of how and when companies must notify the authorities as well as those impacted by a breach, since these vary from country to country.

Facebook under fire

The debate over data privacy is certainly blowing up in a big way at the moment after revelations that have come out recently over the questionable collection and misappropriation of Facebook data by U.K.-based data firm Cambridge Analytica in such a way that it may have swayed the 2016 U.S. presidential election in favor of President Donald Trump.

Indeed, Facebook is feeling the fallout of its dodgy data-privacy practices in an unprecedented way. Last month, Facebook Chief Information Security Officer Alex Stamos stepped down because of the public scrutiny and his own internal disagreement over data-breach disclosure.

His boss, Facebook founder and CEO Mark Zuckerberg, has been in the hot seat all week before a Senate committee defending his company’s ability to protect the personal data of its users and ensure the platform isn’t misused to change the U.S. political landscape in the form of election tampering.

While it’s unclear yet how this retroactive enforcement suggested by the EU will play out, U.S. companies likely will be under heavy scrutiny thanks to the Facebook debacle and should be amply prepared, Rafael Amado, strategy and research analyst at digital security risk-management firm Digital Shadows, told Security Ledger.

“May 25th is only around the corner, and we expect there to be some early enforcement fines to put teeth behind the bark,” he said. “I wouldn’t be surprised if large U.S. technology firms are the first to be targeted by EU regulators, particularly given the recent coverage of Facebook and its dealings with personal data.”

Focus on data privacy

Even if the EU official’s claim of retroactive enforcement is an empty threat, companies should not ignore the message behind it, Amado said.

“Regardless of whether data breaches occurring before or after May 25th are enforceable, protecting personal data is important, and organizations should already be ensuring they have the necessary visibility over their assets and the data they hold or process,” he said. “This includes personal data that sits outside of an organization’s network.”

Amado cited 500 million files exposed through misconfigured file-sharing services and storage devices in the EU that his company recently discovered as proof of how far-reaching data breaches can be.

“With such large figures at play, the chances of European personal data being exposed through these means is very high,” he said. “Organizations need to therefore ensure they have a grasp of where data is unprotected on their own infrastructure, and whether third-parties or employees are inadvertently exposing personal data by copying and archiving files outside of the office network.”