Breach fines are fair and must be considered
And business customers need to prepare for the EU law reforms if they haven't already, says TK Kianini
People in leadership positions all over the world should remain current with these developments because this EU process is what it looks like when you need to bring together multiple stakeholders to agree on a governance policy with consequences.
The EU – for whatever reason – has been able to move this process forward, unlike in the US, for example, which has no such federal law to govern its states in the event of a data breach.
The readiness recommendation is that you understand these requirements and ask yourself what technology or process change will need to be acquired or modified, so that most of it can be automated. By May next year, your customers should have enough information to frame an incident response scenario which their organisations and practices can use to get ready for the real events.
MEPs have backed a right to erasure that entitles anyone to contact an internet firm and have it delete personal data. It would also have to ensure third parties hosting that same data remove it, too.
How practical is this when seeking approval from the board?
Lawmakers have come to the proper conclusion that the internet never forgets. What has been seen cannot be unseen, so laws and policies must recognise this inherent characteristic of information, as opposed to physical properties.
As the EU's stance here is moving to a single regime, how practical would it be to do the same across all nations with different cultures?
While cultures and nations differ, they are all facing a common advanced threat. It is from this perspective that there must be rules to how an organisation must behave prior to an incident, during an incident and after an incident.
You can bet that the threat originators are paying close attention to this development, because they will adjust accordingly as they always do.
MEPs are now calling for five per cent fines, and these are necessary.
There must be pain or it will just be viewed as a "cost of doing business" fee. Getting the amount right is critical, and it already looks like some analysis went into developing an appropriately tiered model.
Having no fines at all would be a mistake. Having unreasonably high fines would just result in revision after revision until it settled down. Five per cent is just painful enough to encourage behavioural change.
TK Kianini is chief technology officer at Lancope