In the United States, a week rarely goes by without a new cyber security breach. Slowly but surely, the European Union is catching up in raising awareness of cyber security and demanding that companies protect the personal data of EU individuals who fall under the definition of “data subjects.” The final version of the new General Data Protection Regulation is expected to be released by late 2015 or early 2016.
Once the new rules are in force, a company which experiences a cyber incident in which personal data of EU data subjects is compromised will have to issue a breach notification to a national regulator. The notification deadline is extremely short – only 72 hours from the breach. Importantly, the new rules will apply to American companies who offer goods or services to or monitor EU data subjects. The administrative fines for failure to comply with the regulation could be steep – 1M euro or 2% of the company’s worldwide turnover.
SDV will continue to monitor this emerging issue. In the meantime, please feel free to contact Stella Szantova Giordano, a member of our cyber risk practice group.