Cybersecurity breaches have numerous consequences. Companies may lose revenue and customers, have tarnished brands and reputations as well as face lawsuits and litigations.
Cybersecurity wasn’t an issue for entrepreneurs before. But since many businesses are now run entirely online, private data stored on their online accounts and private servers should always be protected. Moreover, even traditional businesses that didn’t engage in online activities before also have online marketing activities now and thus need to keep those secure as well.
Various rules and regulations require businesses to maintain baseline levels of cybersecurity. If business owners don’t understand the cybersecurity laws that relate to their operations, they may be subject to significant penalties, fees, fines, and punitive consequences.
To completely understand the risk that cybersecurity presents, it’s essential to understand the laws and penalties that apply. Read on below to know the most common cybersecurity laws that businesses should be aware of.
GDPR (EU General Data Protection Regulation)
GDPR is the most significant recent regulatory change in the EU data protection law. One of the aims of GDPR is to improve and update cultural attitudes towards data protection. This law applies to any business selling to and storing information about citizens. This law is aimed at ensuring that citizens have greater control over their personal data.
GDPR puts the customer on the driving seat, and the task of complying with this rule falls upon organizations and companies. It requires companies that handle personal data to appoint a data controller or data protection officer who should be in charge of GDPR compliance.
There are severe penalties for any business that fails to comply. GDPR fine can go up to 20 million Euros or four percent of annual global revenue, whichever is greater. For example, British Airways is facing an eye-watering fine of 200 million Euros for a data breach that happened in 2018. Various factors, including the number of people affected and actions taken to avoid damage, determine the amount of fine businesses can receive.
The E-Privacy Directive
Businesses that deal with telecommunication in public electronic networks and e-marketing are likely subjects to this law. The law was adopted in 2002 and was aimed to address the needs of new digital technologies. This law is typically applied in the context of e-marketing as advertisers running pan-European campaigns want to understand whether it applies to `country of destination’ or country of origin.’
Understanding this law is also relevant to determining the ‘cookie consent’ responsibilities of businesses as to whether they should comply with the opt-in or opt-out rules of every member country. The law requires businesses to obtain a user’s consent to place and access data (like cookies) on their digital device. It covers all forms of online tracking technology such as device fingerprinting so it doesn’t just apply to cookies.
The NIS Directive
The NIS directive is aimed at enhancing cybersecurity in numerous vital sectors. The NIS Directive is typically aimed at businesses in the energy and aviation sectors, along with other regulated sectors. It requires operators of `essential services’ in these regulated sectors to raise their security of information and network systems.
To satisfy obligations related to security, business owners must make sure that proportionate and appropriate technical and organizational measures are in place with regard to managing any risks to the information and network systems. The penalties for breaches of the NIS directive are severe. The supervisory authorities have the power to levy fines of up to 17 million Euros.
EU Cybersecurity ACT
The Cybersecurity Act has two main objectives. One is to establish an EU-wide cybersecurity certification framework, and the second is to strengthen the mandate of ENIS, which is the EU`s cybersecurity watchdog, to support EU Member States with tackling cybersecurity attacks.
The Cybersecurity Act gives businesses the chance to certify that their products meet EU cybersecurity standards. However, the certification is voluntary unless otherwise specified by member State law or EU. The certification scheme can specify one or more of these security assurance levels – basic, substantial or high. With the basic, ICT manufacturers or service providers can perform the conformity assessment themselves, while for the substantial or high levels, the assessment is performed by national cybersecurity certification authorities.
Each EU Member State has the mandate to develop rules on penalties or fines for infringement of the framework as well as for the breach of the certification schemes.
California Consumer Privacy Act
This law applies to any company that does business in or with California. It will enter into force in January 2020 and will seek to offer California consumers a right to control their personal data. Described as California’s answers to the GDPR, it gives consumers the right to access and notice, non-discrimination, deletion, and opt-out of a sale. It also needs businesses to have privacy notice and to be transparent about how they process personal data.
Moreover, this law applies to any entity that does business in California and that either derives 50 percent of its annual revenue from selling consumer revenue data, processes information of over 50,000 consumers for commercial purposes or has an annual gross revenue of over $25 million.
Data breaches have become too common. In fact, it was reported that during the first half of 2019, 4.1 billion records have already been exposed because of data breaches. That’s why it’s important for businesses to comply with cybersecurity laws. By doing so, their company data, as well as the personal information of their customers, will always be safe from hackers.
Text by Olivia Scott