Businesses need to be aware of global privacy regulations, panel agrees

Data privacy concerns cover more ground than simply guarding against security breaches that expose customer data, according to a panel of cyber risk experts speaking during a recent Advisen webinar sponsored by ACE.

During the discussion, panelists agreed  organizations must be aware of privacy laws and regulations all over the globe, to ensure that they are in compliance anywhere they do business.

LISTEN: Data privacy laws: coming to a market near you?

Iain Ainslie, technology and cyber underwriter with ACE European, noted that securing against data breaches in the United States has dominated the conversation on privacy in the insurance world. However, privacy regulations in Europeans countries go further, creating obligations for how organizations handle consumer data, whether they can opt out, and what privacy really means.

“It brings in a new level of legality,” said Ainslie.

Bridget Treacy, managing partner with Hunton and Williams, explained that Europe’s privacy laws require companies to think about their broader responsibilities and hold them accountable for “any violation of data protection,” not just breaches by outside actors.

She noted, “There’s no data privacy without data security. But there can be breaches of privacy without an exposure of data.”

Treacy also said she sees the growing “expectation” that businesses will factor privacy requirements not only in their own countries but in others before rolling out new products or processes. She cited a “data localization requirement” in Indonesia, requiring Indonesian businesses that do operate on the Internet to actually store their data in that country.

“We all know that data is the lifeblood of our digital economy,” she said.

Ainslie emphasized that insurers find it difficult to create standardized products for use across borders. In some countries, for example, “cyber” carries a different connotation.

“We really do need to understand those local environments,” he said. “We have to ensure that we can have a standardized approach while at the same time understanding the local nuances.”

Treacy observed that regulators are collaborating more on privacy protections and “being very creative” in how they use their authority to charge entities that don’t comply. Regulators are also proving “adept at using the media” to publicly call out companies for not protecting data appropriately, she said.

Panel moderator Rebecca Bole, director of editorial strategy for Advisen, noted that data breaches can seriously damage a company’s reputation in the eyes of consumers.

“It’s a very fragile confidence they have and we see how quickly that confidence can be broken and it can be very detrimental to a business,” she said, asking panelists to discuss how organizations should best safeguard data.

Ken Munro, partner with Pen Test Partners, a security firm, said board-level buy-in is essential, as well as investing in technology to add “layers of protection” for data and properly training all employees. He cited the recent announcement of a data breach at eBay. The breach occurred in late February to early March, but the company only went public this week.

“Organizations need to start waking up and realize we have to deal with this sooner,” he said. Munro advised roleplaying crisis management scenarios to prepare an entire business.

Ainslie added that businesses generally want to see a return on investment for the technology they purchase. He highlighted Microsoft’s announcement that it would no longer provide support for Windows XP. Businesses might look at the number of computers they would have to upgrade and think the cost outweighs the benefit. That’s the wrong move, according to Ainslie, and creates vulnerabilities for a business.

“It’s very, very dangerous not to continue with investment,” he said, adding that businesses also need to evaluate their vendor relationships on an annual basis to ensure all vendors comply with privacy regulations.