Home > Insights > Blogs > Cybersecurity Bits and Bytes > Is breach mitigation the next wave of cybersecurity regulation?

Is breach mitigation the next wave of cybersecurity regulation?

Melissa Ventrone, CIPP/US February 9, 2017

More and more, regulators are focusing their rulemaking power not just on how a company responds (or doesn’t respond) to a data breach, but the steps it took far in advance to prevent or mitigate such a breach. 

Two new sets of regulations — the European Union’s General Data Protection Regulation (EU GDPR) and a stringent new cybersecurity regulation from the New York Department of Financial Services — fall into this breach mitigation category, and are catching the eye of all companies that collect, store or process customer data. 

For an in-depth overview of these regulations and this recent shift to pre-breach mitigation requirements, join us Tuesday, Feb. 21, for a free webinar hosted by Advisen. The webinar, “The Next Wave of Cyber Regulation” will feature up-to-the-minute commentary and analysis on the effects of these upcoming regulations and the likelihood of more in the future. 

General Data Protection Regulation (EU GDPR)

The EU GDPR looms large for any firms or companies that handle the data of European customers. The measure, which goes into effect on May 25, 2018, will apply to any entity that captures or processes the data of EU data subjects — even if in relation to a free good or service. 

This will be an entirely new area of risk for many U.S.-based entities, one that imposes significat accountability requirements and carries the threat of serious fines —  up to €20 million or four percent of global turnover for the preceding financial year, whichever is greater. 

One key element of the EU GDPR is the requirement, in certain circumstances, for firms to designate a data protection officer (DPO). This position, which must be in place by the law’s effective date, can be either an employee with a significant level of expertise or a contractor. Some in the industry are already worrying about the limited talent pool for this key position, and the importance of early recruitment so the DPO can guide an organization through preparations for the GDPR’s quickly approaching effective date. 

New York cyber regulation for banks, insurers

New York’s new regulatory scheme becomes effective in just a few weeks, March 1, 2017, and applies to any banks, insurers and financial institutions regulated by the state’s Department of Financial Services. 

This first-of-its-kind regulation requires affected companies and firms to create and maintain a detailed cybersecurity policy and program. The requirements of that program match many of the standard elements for any well-established private cybersecurity policy, such as implementing penetrative testing and vulnerability assessments, providing personnel training, and limiting access privileges. But this is the first time a state agency has required a written cybersecurity protocol from such a wide range of entities. 

Again, for more information on both sets of regulations, please join us Feb. 21 at our webinar, “The Next Wave of Cyber Regulation.” 

Melissa Ventrone is the chair of Thompson Coburn’s Cybersecurity group.