The European Union's new data security regulations could come into effect as soon as 2015 or 2016 (they aren't law yet), but as ZDNet reports, practically no cloud service providers are prepared to comply with them.
You might be wondering, Do I need to comply with European data breach laws? The answer to that question is complicated. These new laws govern European citizens, so if your clients do business with European vendors or sell their products to European citizens, you could be forced to comply.
Let's take a closer look at what these new laws require from IT professionals and cloud providers.
What Do the EU's New Laws Mean for American IT?
A few months ago, Google was in the news when European courts ruled that users had the right to remove links to pages about them. Users could petition Google to remove links they thought were inadequate, inaccurate, or outdated.
The so-called "right to be forgotten" is one aspect of the EU's tougher data breach standards. Additionally, the new laws could require…
- Data breach notification to EU officials within 24 hours of breach.
- Increased encryption and password standards.
- Data residency requirements (even if data is stored in non-EU countries, it must meet certain EU requirements).
According to Net Security, failure to comply could mean a fine of over $133 million or 5 percent of a business's revenue.
As an IT professional, you probably already have a number of objections to these new requirements. For instance, data residency regulations are hard to comply with because cloud data is often iterated in data centers in various locations across the world (many in the U.S.).
In fact, these new requirements are so far from what the typical cloud company does that 99 percent of current cloud service providers are not in compliance.
What Is Safe Harbor?
European data breach laws have a provision for "safe harbor," which outlines other less restrictive data breach regulations that U.S. and other non-EU companies can follow. If you follow these regulations, you receive "safe harbor," or partial protection under the law.
Though the law isn't finalized and safe harbor provisions could change, these regulations will probably resemble current safe harbor laws, which require U.S. businesses to be regulated by the FTC and follow industry standards (e.g., those established by Verisign and TRUSTe).
For more on safe harbor and data breach regulations, see our post, "Data Breach Laws? Looks Like Europe Took Care of It for Us."
Why New Laws Expose You to More Lawsuits
Depending on your clients' IT requirements and the nature of their data, if these laws are passed, you might need to incorporate a few changes. But even if these laws don't apply to your work, there are a few important takeaways:
- Data security laws aren't made with the IT consultant in mind. The burdens imposed by these laws might make technology less effective (as they reduce the ability for cloud data centers to iterate data). Generally speaking, these new laws add new hurdles for IT consultants.
- As an IT consultant, you need to be aware of changing regulations. Stay abreast of laws that could change how you monitor and store client data. Adapt accordingly.
- The cloud makes security harder to regulate and exposes you to liability. IT consultants can be shielded from legal penalties and lawsuits if they follow the letter of the law. But the cloud simply makes that hard to do. You don't know where your clients' data is stored and what security protocol the cloud provider follows. As we've seen, only 1 in a 100 cloud providers are currently compliant.
When you add all this up, you can see that the data security landscape is filled with ambiguity and liability. IT consultants often don't know exactly what their legal responsibilities are.
That means, as an IT professional, you're exposed to risk every day – risk that could lead to lawsuits.
If clients sue you for a data breach or seek damages because you're not complying with international data breach laws, your E&O Insurance can cover your legal expenses. To get an idea of how much this coverage costs, see our sample insurance quotes for IT professionals.