Standards of legislation relating to data protection and cyber security that companies are expected to adhere to vary widely by region. This section provides an overview of key legislation in force across the regions from which the company sample was drawn.
In the European Union, data protection legislation is more centralised and weighted towards the privacy rights of individuals. The European Union’s Data Protection Directive came into force in 1995 across EU member states. In December 2015, two new pieces of legislation were enacted, aiming to respond to demands for privacy in the information age. These are GDPR and Network and Information Security Directive (NISD).
GDPR aims to return control of personal data to users and simplify the EU’s regulatory environment.
Key elements include:
- regulation will apply to companies headquartered outside of Europe if they have operations in Europe;
- it will apply to those that control the data (that determine the purpose and manner in which the data is processed) as well those who process it;
- failure to report a data breach may result in a company being fined €20 million or up to 4% of total global turnover (whichever is greater);
- data breaches should be reported by companies as soon as possible and, where feasible, no later than 72 hours after discovery;
- personal data now extends to items such as location and IP address, as well as medical data, including genetic information;
- the “right to be forgotten” is now enshrined in law, allowing people to request that search engines delete links to the data in question; and
- new requirements for organisations to carry out Privacy Impact Assessments (PIAs) to ensure that personal data is sufficiently protected and privacy of the individual maintained.
NISD requires EU member states to have a national cyber security strategy. It also designates various essential service providers as part of the Critical National Infrastructure (CNI). The definition of CNI is broad and includes companies across the electricity, energy, transport, finance and digital/telecoms sectors. Those organisations that are designated as part of the CNI must take appropriate cyber security measures and report serious data breaches to the national authorities. Failure to comply may result in financial penalties to the companies in question and therefore represent significant risk to any organisation that is designated as part of the CNI and its investors.
The US approach to cyber security regulation is decentralised and sectoral. There is no single federal data protection law, though many states have their own privacy and data protection laws.
Three key regulations are the aforementioned Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act (1999) and the Homeland Security Act (2002), which deal with the protection of systems and information respectively in the healthcare, financial and federal government sectors.
Individual states have their own regulations. California’s Notice of Security Breach Act (2003), for instance, requires that any company storing data on California citizens must disclose details of any security breaches.
On 21 February 2018, the SEC issued guidance to assist public companies in their disclosure, oversight and other obligations relating to cyber security risks and incidents. The drive behind the release was the increase in frequency and severity of cyber security incidents, and their potential for significant loss, reputational harm and ongoing damage to a company’s business. The new guidance expands the SEC’s previous 2011 cyber security guidance that required companies to report material breaches and their potential business, financial and operational impacts.
Two new topics addressed were disclosure controls and procedures and, insider trading prohibitions.
- Insider trading: in one high-profile case last year, the SEC and the US Department of Justice investigated the sale of $1.8 million of stock by three Equifax executives after the company learned of a breach of 143 million records, but before the breach was disclosed to the public. The new guidance states that companies must have controls to prohibit insiders from trading on material non-public information relating to cyber security risks and incidents.
- Disclosure controls and procedures: the new SEC guidance also draws attention to specific cyber security risks. For example, it mentions ransomware, phishing, SQL injection attacks and DDoS attacks. In the case of DDoS attacks, the SEC warns companies that if they have suffered an attack previously, it is not enough to inform investors that such an attack might occur. Instead, they may need to discuss the previous incident and its consequences. It also mentions legal risks, increased insurance premiums and damage to the company’s competitiveness, stock price and long-term shareholder value35.
The Privacy Amendment Bill (Notifiable Data Breaches) 2016 passed both Houses of Parliament in February 2017. The law establishes mandatory data breach reporting obligations on government agencies and businesses under the federal Privacy Act 1988. The scheme came into effect on 22 February 2018. Now, agencies, businesses and non-profits with turnover greater than A$3 million are required to notify eligible data breaches to the Australian Office of the Australian Information Commissioner (OIAC) and affected individuals. An eligible data breach occurs when:
- there is unauthorised access to, or unauthorised disclosure of, personal information, or a loss of personal information, that an entity holds;
- this is likely to result in serious harm to one or more individuals (psychological, emotional, physical, reputational or other forms of harm); and
- the entity has not been able to prevent the risk of serious harm with remedial action36.
To maintain compliance with the impending requirements, the OIAC has advised entities to have a data breach response plan. Where entities have reasonable ground to believe (rather than to suspect) that an eligible breach has occurred, they are required to undertake a “reasonable and expeditious” assessment of whether an obligation to notify exists.
In Japan, the Act of Protection of Personal Information (APPI) creates nation-wide corporate data protection responsibilities. Companies are required to keep personal data safe and only supply data to third parties with consent from the data subject. Companies are also required to obtain consent for holding sensitive personal data such as a data subject’s race, social status, medical record, criminal history and status as a victim of crime37.
In South Korea, the main acts on data protection are the Personal Information Protection Act (PIPA) and the Act on the Promotion of IT Network Use and Information Protection (Network Act) – these relate to the collection, use, provision, outsourcing, storing and destruction of personal information. Consent from data subjects is required before their personal data can be used.
Neither Japanese nor South Korean cyber security laws mandate that cyber security breaches, including loss or theft of personal data, must be disclosed to the public or government authorities.
Download the report
Stepping up governance on cyber security: what is corporate disclosure telling investors?
Stepping up governance on cyber security
- Currently reading
Regulatory landscape - overview