Ever since people have started putting information on social media, in the protection of companies, or on their own protected online server, there have been groups of people who attempt to hack this information and use it with ill intentions. Because of the great weight held by the United States and other nations towards personal privacy, companies are made or destroyed around the notion of information securities. While companies are often victims of cyber attacks that jeopardize their customer’s information, in the past the customers were sometimes left in the dark.
How are consumers protected from these attacks?
Like many consumer protection actions done in the U.S., many states have implemented laws to help that require businesses to notify customers when their data may have been compromised. States like California and Michigan, among many others, have enacted laws that require companies that have clients within their state to notify consumers of the potential damage that was done along with resources to help protect the consumers against potential fraud. However, there is no current Federal law to protect United States citizens.
The EU’s Answer: General Data Protection Regulation
Unlike the United States, the European Union (EU) has taken it upon itself to protect citizens of all member states via the General Data Protection Regulation (GDPR). The GDPR applies to all businesses that are based in the EU, intend to do services for people in the EU, and any company that monitor people in the EU. The GDPR applies to any company in which there has been a “personal data breach,” which is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Major differences in the GDPR
Similar to many of the U.S.’s state laws, the GDPR requires disclosure to the consumers after an information breach has been realized. Once data processors notice the breach, they notify data controllers and the data controllers then notify the consumers and the government regulators. While much of the regulation is now considered standard, since its modeled after United State’s laws, there are some major key points worth noting.
- General Data Protection Regulation goes into effect in 2018.
- The GDPR governs all types of identifying information, not just sensitive materials like Social Security Numbers, driver’s license numbers, etc.
- There are stricter requirements to notify if any evidence of breach, not just if there is a material threat to customers.
- Companies that become aware of a breach are required to notify governing agencies in the EU within 72 hours of discovery.
- Individual victims have the right to seek damages that they suffer if the company in question has not abided to the GDPR requirements.
- Companies that do not abide to the GDPR may be fined up to 2% of the company’s annual revenue.
These key points highlight that the EU is not taking their citizen’s privacy lightly. Allowing for a major fine to companies in light of their GDPR infractions will hopefully spur companies to not only notify consumers when breaches occur but also ensure that they take information securities with greater responsibility. We’ve written previously about steps companies need to take here and here.
Talk to a Data Breach Lawyer
In a time where all of our information and customers are global, it is important that your company understands which laws could directly impact its business.
Revision Legal consistently works to improve its clients’ legal protection in wake of potential information breaches. If you have concerns about your exposure or have received notification that your company has been a victim of a security breach, contact our experienced data breach and internet attorneys. Contact us using the form on this page or call us at 855-473-8474.
Photo credit to Flickr user Leon Yaakov.
Editors note: This post was originally published in December, 2016. It has been updated for clarity and comprehensiveness.