The GDPR went into effect in May, and was immediately followed by an initial round of consumer rights lawsuits. Small and medium enterprises anywhere in the world that collect data on EU citizens (knowingly or not) need to be prepared.
Have you noticed the new permissions you have to click every time you visit a new web site? On May 25, the European Union enforced a new set of regulations, collectively called the General Data Protection Regulation (GDPR). This mandate aims to protect consumer data collection and use. On the same day, consumer rights organizations filed the first lawsuits against companies that they believe do not adhere to the new laws authorized under the GDPR’s data subjects rights clauses. These citizen lawsuits may be problematic for companies whether they are located in the EU or not. Pay attention, because this European law will have global impact on any business with a website.
For small and medium-sized enterprises (those under $100 million in revenue), GDPR is going to matter even if you are not actively doing business in Europe. With the issues raised by Facebook’s use of data and the organically global reach of the internet, your business will likely have to have to adhere to some form of data protection or risk having your access blocked by regulatory agencies in the countries where you are not in compliance.
Right now, you might be thinking, “I don’t have offices in the European Union, and I don’t do business there, so this doesn’t affect me.” The problem is that the authorities enforcing GDPR may try reaching out internationally to create protection standards and encouraging businesses in other countries be more thoughtful about the information they collect.
Businesses in the United States remain unsure about how the GDPR will impact them. The GDPR confuses companies by asserting control over data controllers or processors with a main establishment located in an European Union Member State while also requiring compliance from those who market or sell to EU citizens. Large companies with physical locations in the European Union must comply. Although international corporations like Amazon or Facebook need to comply, mid-size businesses who either market to or collect information from EU citizens fall into a gray area.\nHow Could GDPR Impact Small- and Medium-Sized US Businesses?\nMany smaller and mid-sized businesses in the US assume that GDPR won’t impact them. Unfortunately, depending on how far the lawsuits can reach, this thinking can be a problem.
For example, a small, locally owned coffee shop in a suburban US town could potentially be liable under the GDPR. When a shop asks for a name or email address in exchange for free Wifi, often it is collecting personally identifiable information that may be used for marketing, and the customer could be an EU citizen visiting on business or holiday. GDPR may protect the information for the EU citizens who provide data. This could be viewed as “marketing to an EU citizen” under the regulation.
Similarly, if you’re a small B2B vendor who asks for user information in exchange for a white paper, EU citizens who provide data for that might also be protected under the GDPR.
To date, the European Commission hasn’t explained how it plans to handle smaller businesses. However, many experts in the information security field think that the GDPR is the first of many data protection regulations. Therefore, companies of all sizes need to start thinking about these kinds of regulations when purchasing their cyber insurance.
Understanding your insuring agreement is the first step to understanding how your cyber insurance coverage can help protect your company. Standard language often states that the insurance company shall have a duty to investigate, defend, and conduct settlement negotiations, as well as choose a defense attorney, for any claim or suit arising out of a covered cause of loss. The terms in the insuring agreement are the key that unlocks coverage. Not only do you need to read your insuring agreement, but you need to understand the definitions in the agreement. For example, you need to make sure you’re protecting information correctly so that the insurance company will consider it a “covered cause of loss.”
As with any insurance policy, you should always read your coverage to make sure that you understand what it says.
Fortunately, even small businesses will have tools to implement, monitor and manage GDPR. Since liability for digital data falls under the realm of cyber law, Zeguro’s Virtual Cybersecurity Officer will monitor compliance with the rules, and recommend implementation and risk mitigation approaches to reduce your exposure to the regulation, both now and as it evolves and extends to other regions.
Covered causes of loss normally include accidents and mistakes. For example, accidents can include events like damage to a physical machine or a power surge that destroys information. Mistakes relate to actions that you and your employees take. For example, an accidental or negligent error might be a data entry typo but can also refer to ongoing systems operation.
Accidents and mistakes happen. Unfortunately, sometimes your business’s procedures leave gaps that lead to you increasing the likelihood of something bad happening. If that’s the case, an insurer may not cover you for the loss.
A good example comes from the environmental insurance issues back in the 1980’s. When the United States Environmental Protection Agency (USEPA) sent letters to small businesses about contamination, many owners were confused and assumed their insurance would automatically cover it. Unfortunately, some smaller businesses had not paid attention to their machines. Many small dry cleaning businesses went bankrupt because chemicals leaked from their machines as part of doing business. Those leaks were sometimes caused by not having the most up-to-date machines to protect against leakage or that they didn’t do regular maintenance to protect against those leaks. Because the companies didn’t take care of their machines, the leaks weren’t considered accidental.
Cyber cleanup works the same way. If you have outdated software or processes, you might be leaking information. Businesses need to monitor their information assets the same way they monitor their physical ones. Ongoing monitoring with automated platforms can help with this by giving you easy to understand alerts, simplifying the process.
When considering cyber security, cyber risk monitoring and cyber insurance, make sure your processes and policies include data and privacy regulation concerns in addition to attacks and data loss concerns. Zeguro is committed to reducing your risk through awareness, compliance, and protection against cyber concerns of all kinds.