LEGAL
On July 6, 2016, the European Parliament adopted the Directive on Security of Network Information Systems, which represents the first EU-wide rules on cybersecurity. While the law does not come into effect until May 2018, it will be critical for companies operating in the European Union to understand whether or not the law applies to them and, if so, what will be required for them to be in compliance.
This article provides a brief primer on the Directive itself and then gives companies three ways in which they can prepare to meet its requirements: (1) keeping up to date on company-wide cybersecurity measures, (2) negotiating information technology contracts with the Directive in mind, and (3) tailoring an incident response plan for use in Europe.
The Directive has three stated goals:
Because trends in cybercrime are only visible to entities with huge resources and broad investigative powers, the Directive intends to use the Cooperation Group to analyze these trends throughout Europe. In the United States, the Federal Bureau of Investigation and the Secret Service work together to understand threats posed to the country’s companies and individuals. While Europe has been at the fore of protecting its citizens’ data privacy, it currently lacks the same infrastructure to deal with cybercrime. The Directive attempts to solve this problem.
As to the companies it covers, the Directive imposes obligations on companies in vital industries both to increase security and to mitigate any damage done or disruption caused by a data breach incident.
The Directive applies to companies defined as providing “essential” services, which include companies operating in the following sectors: energy, transportation, financial services, banking, drinking water supply and distribution, health care, and digital infrastructure (this sector includes companies that provide Internet exchange points, domain name system providers, and registries). Digital Service Providers (DSPs) include online marketplaces such as Amazon, cloud computing providers like Microsoft, and search engines such as Google. Micro and small companies, as defined in European Commission Recommendation 2003/361/EC (companies with less than 50 staff and less than or equal to €10 million on their total balance sheet) do not fall under the scope of the Directive.
While the Directive does not precisely define how significant a data breach must be to require notification to national authorities, it does identify five parameters in the analysis: (1) the number of users affected, (2) the duration of the incident, (3) the geographic spread, (4) the extent of the disruption, and (5) the impact on economic and societal activities. In the coming months, the European Commission will promulgate additional rules and regulations adding details to these parameters. Once triggered, a reporting obligation requires a company to notify the relevant national competent authority and/or CSIRT. Importantly, this requirement is in addition to any consumer or user data breach notification obligations that apply to the company in question.
Working with law enforcement agencies in the course of investigating a data breach can be a difficult and risky endeavor on its own. For that reason, companies should, as part of their overall strategy, designate a single point of contact to deal with them. Whether it is your company’s chief information security officer or outside counsel, speaking with a single voice will improve coordination and reduce the risk of miscommunication.
As part of its goal to manage cybersecurity risk, the Directive imposes obligations on the private companies to which it applies. In short, impacted companies must take appropriate security measures to prevent risks, to ensure the security of their network and information systems and the data stored therein, and to implement an incident response plan to handle data breach incidents.
If this seems vague to you, that is because the Directive has not been supplemented with specific minimum prescriptions for the “appropriate security measures” that it will require of covered companies when it becomes enforceable in May 2018. Once again, the European Commission has been empowered to add detail here. However, we can surmise from the current threat atmosphere that improving your company’s cybersecurity capabilities and keeping up with technical advances must be part of every company’s compliance plan. With the recent rise in ransomware attacks, the creation of more sophisticated phishing emails, and the continued leveraging of weak credentials by cybercriminals, companies need to adopt a holistic strategy to deal with these increasing threats.
This means coordinating all aspects of your company’s business to ensure that there is no “weak link” for cybercriminals to exploit. Information that is vital to your business or sensitive in nature needs to be protected at a higher level and restricted from access by rank-and-file personnel. In addition to using up-to-date technical security measures, your company’s strategy should also include a full review of your outside IT vendors and the contracts governing those relationships, as well as the refining of your incident response plan to take into account the new cybersecurity infrastructure and standards imposed by the Directive.
Though more and more companies are exporting their data to the cloud, most of them do not think to use contracting for those services, or similar data storage services, as an opportunity to review how their cybersecurity practices mesh with those of their chosen vendor. Given that cloud computing providers are covered by the Directive, they likely will be out in front on cybersecurity issues. Your company should take advantage of that by asking questions during the contract negotiation about how the cloud computing provider intends to interpret the Directive and comply with its terms.
Even if the cloud computing provider or other IT vendor storing your company’s data is not willing to divulge its compliance plans during the contract negotiation period, your company should at least insist upon detailed information concerning the following:
Clarifying these issues and, to the extent possible, incorporating the answers into your contracts with IT vendors can help your company prepare to comply with the Directive.
Every company impacted by the Directive should already have an incident response plan in place. But it is important to remember that incident response plans are not static documents. They must be dynamic and alterable as circumstances dictate. Tailoring your incident response plan to take into account the forthcoming cybersecurity standards in Europe will increase your chances of minimizing any business disruption when the new European CSIRTs arrive to review your company’s data security policies.
Incident response plans invariably call for a small group of people, usually led by the company’s general counsel or outside counsel, to implement measures designed to minimize the impact of a data breach incident. This allows companies to act quickly and avoid the spread of misinformation. The new Directive requires companies to assess a breach with facility and determine whether they must notify the national authority in place in the Member State in which they conduct business. Accordingly, the incident response plan should include a mechanism providing for a meeting between IT personnel and legal personnel to analyze the breach and make a recommendation to the decision makers. Without a specific provision detailing this process, companies will have to make their notification determination on the fly.
On the risk management side, companies should follow the European Commission and read the new, detailed regulations fleshing out the Directive as they are released. Understanding these regulations and how the new CIRSTs and Member State national authorities will use them is the key to compliance. For example, while all companies should document the steps taken in response to a data breach, the European Commission regulations will likely provide guidance concerning what kind of documentation the CIRSTs and national authorities will seek to review.
At this point, the new EU cybersecurity Directive creates more questions than answers. But that does not mean the companies affected have the luxury of waiting for more information before taking steps to ensure their compliance with the Directive in 2018. By maintaining and updating cybersecurity features, incorporating the Directive’s general principles into IT vendor contracts, and customizing an incident response plan, your company can avoid falling behind.
John C. Eustice, a member at the law firm of Miller & Chevalier chartered in Washington, D.C., has developed experience in data security and data privacy issues, including issues relating to cloud computing services, incident response, and cross-border transfers of electronic data. Mr. Eustice advises clients on information technology contracts, data security, and data privacy compliance. He can be reached at jeustice@milchev.com and 202-626-1492.
-->
