Results of a current survey
A survey released in December by security vendor Gemalto found that
- 75% of the participants didn’t think the protection of their data was taken seriously by firms
- 64% of the participants said that, if financial or sensitive data was stolen, they would end the business relationship
- 31% of the participants were already victims of a data breach
- 23% of these victims considered legal action as a result
Further, PwC’s 2016 “Global State of Information Security Survey” (GSISS) survey showed, compared to last year’s report,
- 38% more security incidents, and
- 56% rise in Intellectual Property theft cases
Even if you view such surveys critically – as I do – they show a tendency and a reason for action. It makes sense to define and implement appropriate and effective Cybersecurity measures.
EU Strategy 2020
Already in 2010 the European Union defined the basics: 1 “Digital Single Market” and 3 “Trust and Security” of their 2020 strategy set out the activities and measures needed to increase trust in IT services and the security of data and critical infrastructure. The 2012 Eurobarometer of Cybersecurity showed that 38% of all Internet users made online payments.
Two of these activities were to revise the European General Data Protection Regulation (GDPR) and provide a better Network and Information Security (NIS). The trilogue meetings for NIS ended on 8 December 2015 and on 15 December 2015 for the GDPR. We anticipate that the counsel and the EU Parlament will adopt and enact both regulations in 2016.
NIS / EU Cybersecurity Directive
The NIS / Cybersecurity Directive Guideline envisages „measures to safeguard a high common network and information security” – stipulates that public confidence should be increased by:
- Increase the preparedness of the Member States through e.g. development of national NIS strategies and authorities
- Improved cooperation and coordination among Member States
- Establishment of national Emergency Response Teams (CERTs)
- Definition of binding safety requirements for public administration and operators of critical infrastructure in the Energy, Transportation, Banking, Financial Market sectors, Internet Service Providers and Exchange points, Food distribution and Health providers.
These industries will now be required to take appropriate steps to identify security risks and treat them accordingly, and to report serious security incidents to the appropriate authorities. This would affect all service providers in and to the EU.
The national authorities would be allocated appropriate powers of enactment and enforcement. Their mandate would enable investigations of fraud including demanding evidence of an effective implementation of their security policies, for example, by reports of an independent body. Further, member states should adopt “appropriate” – read “prohibitive” – sanctions for non-compliance.
Once this Directive has been adopted by the EU, the Member States are likely to have 21 months to implement it and another six months to determine critical infrastructure services operators.
General Data Protection Regulation (GDPR)
To protect personal data and increase the confidence of people using digital services, the GDPR (*5) would reinforce various aspects of the current European data protection directive 95/46 / EC, in particular:
- Mandatory requirements for companies to identify risks, impacts, and define appropriate security measures, enabling data portability and the “right to be forgotten”
- Early Access to data protection (“Data Protection by Design and by default ‘)
- Better means of redress
- Strengthening data protection authorities
- Fines of up to EUR 1 million or 2% of turnover
Situation and Impact for Switzerland
The Swiss parliament has also revised the current Data Protection Act. Although the exact text of the law is not yet available, it is known that the general thrust and concepts that are already available for GDPR will be adopted into the Swiss Data Protection Act in similar form (“Swiss Finish”).
Switzerland has a national strategy to protect against cyber risks (NCS) which defines the legal basis for action in Measure 16. According to the NCS 2014 annual report, however there is no urgent need for legislation in addition to the currently ongoing ordinary legislative procedure. However, it is likely that Switzerland will need to adopt parts of the European Cyber Security policy to continue to participate in the “Digital Single Market” of the EU.
For Swiss companies that offer critical infrastructure services in the EU or to EU citizens, it will be compulsory to comply with the EU Cyber Security Directive (NIS) and GDPR.
Swiss firms working in the EU and with EU citizens will need to adjust to upcoming legislation and their mandatory requirements. In order to strengthen your consumers’ confidence, we recommend an early adopter approach to cyber security and data protection from your firm.
Save the date
We would be pleased to inform you more in our Webinar on Tuesday 26 January 4pm, in which we update you to the latest Data Protection & Cyber security regulatory developments. An invitation will be included in the January newsletter.
For further Information please contact:
Marco Schurtenberger, Cyber Security & IT Compliance Specialist email@example.com, +41 58 792 22 33