Monthly Archives: January 2016

CYBERSECURITY The EU Network and Information Security Directive: U.S. Companies Take Note


Preventing or minimizing business risks should result in maximizing profits, but unexpected losses due to cyber security incidents can be costly to both businesses and affected consumers. The European Commission has finally addressed this rising issue with the new draft Directive, the Network and Information Security Directive (“NIS Directive”).  The intent behind the Directive is to create a higher level of network and information security across the EU by mandating that Member States by requiring essential services suppliers and digital network providers adopt higher standards to manage and report cyber security incidents.

The NIS Directive requires Member States to establish national network and information security strategy and implementation of regulations to ensure a high level of network security, create a national competent authority to monitor and enforce such regulations as adopted. Member States are mandated to engage in cooperative measures and information sharing between the Member States.

Operators of essential services, including energy, transport, finance, health, drinking water and digital infrastructure operations will be obliged to take measures to prevent and minimize any impact of cyber security attacks on their network and information systems.  This will also apply to many third party digital service providers that are used in the provision of services by identified essential services.  The affected service providers must have a sufficient incident management process to report, monitor, audit and conduct ongoing testing and to ensure continuity of the services provided.  Sanctions must be put in place to promote compliance, although its yet unknown what those sanctions might be.

So, why should U.S. companies take any notice of the NIS Directive? With the recent erosion of the EU – U.S. Safe Harbor the lack of a clear cut solution, U.S. companies doing business, whether ecommerce or more traditional, would be wise to take steps to ensure compliance with the minimum thresholds set by the Member States enacting regulations to comply with the NIS Directive.  Any EU legislation setting minimum thresholds, for data privacy or security will likely replace the requirements for self-certification in the EU-U.S. Safe Harbor.

If you would like further information, have any questions or concerns please contact us.

Data Privacy and Security: The Demise of the EU-U.S. Safe Harbor

The lack of a cohesive body of data privacy and security laws in the U.S. created problems with transfers of personal information from EU citizens held by U.S. companies. Thus the EU-U.S. Safe Harbor was created and is administered by the U.S. Department of Commerce.  Under the Safe Harbor, U.S. companies could self-certify their compliance with minimum standards of data privacy and security such that the EU deemed such companies efforts as adequate to meet EU data privacy and security principles (set out in both Directives and regulations).  Late in 2015, the European Court of Justice issued a judgment declaring the Safe Harbor agreement as invalid.  This decision is cause for concern as U.S. companies may discover that they are no longer in compliance with EU data privacy and security principles, even though they have self-certified under the Safe Harbor.  Nevertheless, the Department of Commerce continues to allow U.S. companies to register and self-certify in the Safe Harbor program as a new solution is being sought to address tighter controls to meet more stringent data privacy and security principles.

In the meantime, companies of all sizes should be reviewing their current practices and reviewing the practices of any third party services providers being used, including cloud services. Be ready to take action.  Approximately one third of all data transfers of personal information is between the U.S. and the EU.  The EU General Data Protection Regulations (GDPR) set to become law in 2018 sets in place more rigorous regulations for consent to collect personal data, requests for removal of personal information from servers, and stepped up enforcement for complaints.  The object of the GDPR is to ensure strict levels of security without impeding market growth for businesses. Fines for failure to comply with the new Regulations may result in fines of up to 4% of a company’s global revenue.

Although the GDPR isn’t scheduled to take effect for some time, moving to best practices and implementing changes that will ensure future compliance is necessary. Don’t wait until the Regulations become effective, the invalidation of the Safe Harbor can, and likely will, trigger law suits against U.S. companies regardless of whether they have self-certified under the Safe Harbor.

Don’t be left behind and leave your company exposed.