U.S. multinational banks can no longer afford to wait and see what might emerge from the European Union's seemingly endless deliberations over the regulation of data privacy and security. Implementation of the EU's General Data Protection Regulation could get underway as soon as next year.
For banks serving EU residents, failure to act could mean fines of up to 100 million ($110 million) or 5% of annual global revenue. Banks that remain in a holding pattern until they see the final regulation could end up scrambling to ready their operations for a heightened degree of scrutiny and enforcement from EU regulators.
In some ways, the proposed regulation is at risk of being out of date even before adoption. For example, the current draft would impose strong obligations on firms to obtain explicit consent from individuals prior to processing their personal information.
Of course, transparency and choice remain critical aspects of protecting an individual's privacy rights. Yet the effectiveness of the explicit consent model quickly diminishes when applied to the modern realities of a digital world. Most individuals simply click their "consent" in order to download apps and software without ever taking a glance at the terms to which they are consenting. Given these realities, an "explicit consent" model is unlikely to be highly effective. A better approach would be to produce regulation that focuses on the purposes and circumstances under which personal information will be processed.
Nonetheless, the accelerating global cycle of data breaches and cybersecurity incidents appears to have convincingly demonstrated to EU legislators that back-end security of personal information is a critical aspect of data protection in a digitized, global economy.
It is highly popular in Europe to decry the lack of data protection in the U.S. But regulators such as the New York State Department of Financial Services and the Securities and Exchange Commission, among others, have made cybersecurity a top priority. In addition, nearly every U.S. state now has a data-breach notification law requiring companies that suffer an attack to notify people who might be affected.
Europe's proposed regulation follows the lead of many U.S. state provisions, while adding a few unique requirements. One such requirement is that companies suffering a breach of personal data would be required to notify data protection authorities within 24 hours of discovery of an event, unless there is a "reasoned justification" for a delay. This stringent standard does not allow much time for implementing internal breach response protocols or for fully understanding the nature and extent of the breach before informing the data protection authorities.
However, there is some wiggle room in the proposed breach notification provisions. These require that companies communicating a breach to the data subjects do so "without undue delay," but only in instances where the breach is likely to adversely affect the protection of the personal data or privacy of those data subjects whose information was disclosed. This "risk of harm" proviso is similar to the standard in a minority of the U.S. state laws. It will give businesses a bit more flexibility in determining whether to notify individual data subjects.
The proposed regulation also contains provisions addressing the compromise of personal information in the possession of a third-party vendor. NYDFS superintendent Benjamin Lawsky recently made the point that "a bank's cybersecurity is often only as good as the cybersecurity of its vendors." EU legislators appear to be on the same page. Under the proposed regulation, a vendor must notify the company whose data they are processing immediately upon discovering a personal data breach, so that it can be reported to the authorities. This is an important component of the breach notification provisions, as it begins to address third-party data risk from a regulatory perspective. It should push third parties as well as the companies they serve to move to mitigate risk.
With this new level of Euro-scrutiny and the strong likelihood of continued cyberattacks, top bank executives should assume a leadership role, engaging intently in preparations with the institution's IT security, IT operations, legal, compliance, and communications departments. In addition to containing any cyberattack as efficiently as possible, individuals in these departments will need to quickly evaluate the breach and make critical determinations about the types of data exposed, whether notification to European data protection authorities is required, and whether, considering risk of harm, notification of data subjects is required.
Now is the time for banks' compliance teams to develop, document, implement, and rehearse a process that clearly identifies the roles and responsibilities of the incident response team including steps to evaluate whether notification is required. The legal department must draft language for contracts with third parties, binding them to specified levels of data security and requiring the reporting of data breaches. Banks should also come up with a breach communication plan, detailing who is responsible for dealing with data protection authorities, press, data subjects, and their representatives.
U.S. multinational banks clearly have experience in addressing data security and compliance at home. Until recently, however, too few top bank executives have been engaged in this critical issue to the extent necessary to ensure reliably coordinated, effective, and cross-functional responses to cyberattacks.
With the bar being raised in Europe, C-level bank executives need to engage fully on both the U.S. and European fronts. Otherwise, the already high cost of cyberattacks and cyber defense could be compounded by exposure to the very high fines now on the table.
Daniel J. Goldstein is senior director with Treliant Risk Advisors in New York. He can be reached at firstname.lastname@example.org.