Cybersecurity: Customer trust in light of upcoming regulation

Results of a current survey

A survey released in December by security vendor Gemalto found that

  • 75% of the participants didn’t think the protection of their data was taken seriously by firms
  • 64% of the participants said that, if financial or sensitive data was stolen, they would end the business relationship
  • 31% of the participants were already victims of a data breach
  • 23% of these victims considered legal action as a result

Further, PwC’s 2016 “Global State of Information Security Survey” (GSISS) survey showed, compared to last year’s report,

  • 38% more security incidents, and
  • 56% rise in Intellectual Property theft cases

Even if you view such surveys critically – as I do – they show a tendency and a reason for action. It makes sense to define and implement appropriate and effective Cybersecurity measures.

 

EU Strategy 2020

Already in 2010 the European Union defined the basics: 1 “Digital Single Market” and 3 “Trust and Security” of their 2020 strategy set out the activities and measures needed to increase trust in IT services and the security of data and critical infrastructure. The 2012 Eurobarometer of Cybersecurity showed that 38% of all Internet users made online payments.

Two of these activities were to revise the European General Data Protection Regulation (GDPR) and provide a better Network and Information Security (NIS). The trilogue meetings for NIS ended on 8 December 2015 and on 15 December 2015 for the GDPR. We anticipate that the counsel and the EU Parlament will adopt and enact both regulations in 2016.

 

NIS / EU Cybersecurity Directive

The NIS / Cybersecurity Directive Guideline envisages „measures to safeguard a high common network and information security” – stipulates that public confidence should be increased by:

  • Increase the preparedness of the Member States through e.g. development of national NIS strategies and authorities
  • Improved cooperation and coordination among Member States
  • Establishment of national Emergency Response Teams (CERTs)
  • Definition of binding safety requirements for public administration and operators of critical infrastructure in the Energy, Transportation, Banking, Financial Market sectors, Internet Service Providers and Exchange points, Food distribution and Health providers.

These industries will now be required to take appropriate steps to identify security risks and treat them accordingly, and to report serious security incidents to the appropriate authorities. This would affect all service providers in and to the EU.

The national authorities would be allocated appropriate powers of enactment and enforcement. Their mandate would enable investigations of fraud including demanding evidence of an effective implementation of their security policies, for example, by reports of an independent body. Further, member states should adopt “appropriate” – read “prohibitive” – sanctions for non-compliance.

Once this Directive has been adopted by the EU, the Member States are likely to have 21 months to implement it and another six months to determine critical infrastructure services operators.

 

General Data Protection Regulation (GDPR)

To protect personal data and increase the confidence of people using digital services, the GDPR (*5) would reinforce various aspects of the current European data protection directive 95/46 / EC, in particular:

  • Mandatory requirements for companies to identify risks, impacts, and define appropriate security measures, enabling data portability and the “right to be forgotten”
  • Early Access to data protection (“Data Protection by Design and by default ‘)
  • Better means of redress
  • Strengthening data protection authorities
  • Fines of up to EUR 1 million or 2% of turnover

 

Situation and Impact for Switzerland

The Swiss parliament has also revised the current Data Protection Act. Although the exact text of the law is not yet available, it is known that the general thrust and concepts that are already available for GDPR will be adopted into the Swiss Data Protection Act in similar form (“Swiss Finish”).

Switzerland has a national strategy to protect against cyber risks (NCS) which defines the legal basis for action in Measure 16. According to the NCS 2014 annual report, however there is no urgent need for legislation in addition to the currently ongoing ordinary legislative procedure. However, it is likely that Switzerland will need to adopt parts of the European Cyber Security policy to continue to participate in the “Digital Single Market” of the EU.

For Swiss companies that offer critical infrastructure services in the EU or to EU citizens, it will be compulsory to comply with the EU Cyber Security Directive (NIS) and GDPR.

 

Conclusion

Swiss firms working in the EU and with EU citizens will need to adjust to upcoming legislation and their mandatory requirements. In order to strengthen your consumers’ confidence, we recommend an early adopter approach to cyber security and data protection from your firm.

 

 

Save the date

We would be pleased to inform you more in our Webinar on Tuesday 26 January 4pm, in which we update you to the latest Data Protection & Cyber security regulatory developments. An invitation will be included in the January newsletter.

For further Information please contact:

Marco Schurtenberger, Cyber Security & IT Compliance Specialist marco.schurtenberger@ch.pwc.com, +41 58 792 22 33

Safe Harbor: stormy seas in Europe − impending storm in Switzerland?

On 6 October this year the European Court of Justice declared that the European Commission’s ‘Safe Harbor’ decision (2000/520) of 2000 which found that the United States afforded an adequate level of protection of personal data was invalid.

Safe Harbor Framework

This Safe Harbor Framework was one of a number of legal bases allowing the transmission of personal data from the EU to the United States to the 5,500 or so US entities self-certified under the Safe Harbor scheme. With this legal basis no longer valid, data transfer now has to be put on another basis, as stipulated in Article 26 of EU Directive 95/46/EC.

Declaration of invalidity

One of the reasons for the European Court of Justice’s declaration of invalidity is that personal data are not afforded adequate protection because the Safe Harbor Framework does not sufficiently limit the US government’s ability to infringe on the fundamental rights of individuals for reasons of national security and the public interest, and that it even gives these aims precedence over the safe harbor principles. There are thus not adequate safeguards in place to ensure that personal data will only be accessed if this – in terms of the European interpretation – is necessary and proportionate. As evidence of disproportionate use of personal data by government authorities it points to the PRISM programme exposed by Edward Snowden.

Implications for Switzerland

This European Court of Justice decision does not have any direct consequences for Switzerland for the time being. Switzerland and the United States have their own Safe Harbor arrangement – albeit virtually identical to the US/EU agreement – that currently affords an adequate level of data protection for around 3,900 self-certified US entities. However, it seems likely that the turmoil in Europe will also spill over into Swiss data protection, and that the Swiss Federal Data Protection and Information Commissioner (FDPIC) will also conclude that the Swiss Safe Harbor Framework no longer meets the requirements of Swiss data privacy law. In its initial opinion, the FDPIC indeed expressed the view that the European Court of Justice’s decision also calls the agreement between Switzerland and the United States into question, and that as far as Switzerland is concerned, in the event of renegotiation only an internationally coordinated approach that includes the EU would be appropriate.

Update:

On 22 October the FDPIC found that the Safe Harbor Framework between Switzerland and the United States no longer constitutes an adequate legal basis for data transfer to the United States. Swiss companies that transfer data to the United States on the basis of the Safe Harbor Framework must contractually agree guarantees assuring adequate levels of data protection with the US entity by the end of January 2016. While this will not solve the problem of disproportionate interference by the authorities, it will enable the level of data protection to be improved somewhat. In addition, persons affected must be given clear and comprehensive information, especially regarding the possibility that the data could be accessed by the authorities

If you’d like to talk about Safe Harbor, contact our experts: