The Court of Justice of the European Union (CJEU), the European Union’s highest court, invalided the U.S.-EU “Safe Harbor” data transfer regime in a controversy arising out of Maximillian Schrems’ complaint to the Irish Data Protection Commissioner. The Schrems decision will have significant privacy implications for companies that transferred data under the Safe Harbor regime, there could however be implications on ompanies’ cyber insurance.
The Safe Harbour program has been in place since 2000 and was meant to bridge the gap between the regulatory requirements for handling of personal data in the EU and U.S. The Safe Harbor created a self-certification mechanism by which companies in the U.S. could opt into a set of rules governing the handling of EU personal information in order to meet EU privacy law requirements. If a company opted in, it was then able to receive data transfers from the EU to the U.S. without further approval.
The Schrems ruling, found that the Safe Harbor protections afforded were in fact not adequate. The CJEU noted that the protections required to meet Safe Harbor obligations could actually be disregarded for a number of reasons, including at the request of certain government entities or where preempted by U.S. law. The CJEU held that a company’s decision to opt into the Safe Harbor therefore does not necessarily protect the personal data of EU citizens and it would no longer consider such Safe Harbor participation by a U.S. company sufficient to meet the requirements of EU privacy laws.
The sharing of information between the EU and U.S. will not be immediately halted – the ruling allows an EU nation’s supervisory authorities to evaluate the treatment of data in a particular case – if no resolution is reached by January next year , there is a possibility that at least some EU nations will follow the CJEU’s lead and commence regulatory investigations and proceedings to evaluate specific data transfers to U.S. companies. For companies that once relied on the Safe Harbor program, there may be implications for their purchase or renewal of cyber insurance.
Cyber insurance involves responding to a series of questions that are provided in the completion of a proposal form which are utilised by insurers to assess the respective data exposures of a business. It is therefore conceivable that insurers may introduce questions arising out of the transmission of data across various jurisdictions. Depending on the responses made , insurers could re assess their premiums and the likelihood could be an increase in premiums if suitable measures are not in place.
Cybersecurity Information Sharing Act (CISA)
After years of deliberation and debate, the Senate has passed the Cybersecurity Information Sharing Act (CISA). The bill aims to reduce cyber attacks by allowing companies to share cybersecurity threat data with the Department of Homeland Security and other federal agencies. If, as expected, the bill passed in the House and becomes law, CISA would facilitate the sharing of cyber threat indicators — the latest forms of malware, spear phishing campaigns, and known malicious domains — between the private and public sectors.
Cyber Essentials is a set of basic technical controls for organisations to use. The scheme was launched on 5th June 2014 and enables organisations to attain 1 or 2 Cyber Essentials badges. This is backed by industry including the Federation of Small Businesses, the CBI together with a number of insurance entities are offering incentives for businesses to take this up.
The Cyber Essentials Requirements document sets out the necessary technical controls required. The Assurance Framework demonstrates how the independent assurance process operates and the various levels of assessment businesses can apply for in order to achieve these badges. In addition to this it also provides guidance for security professionals carrying out assessments.
With effect from 1st October 2014 , government requires all suppliers bidding for certain sensitive and personal information handling contacts to be certified against the Cyber Essentials scheme.
Ten Steps to Cyber Security
The Ten Steps is a Department for Business, Innovation and Skills (BIS) publication which aims to help businesses prevent or deter most cyber-attacks. The Executive Companion offers guidance for business on how to make the UK’s networks more resilient and protect key information assets against cyber threats. It covers risk management and corporate governance and includes case studies based on real events. The advice sheets provide detailed cyber security information and advice in 10 important technical and process/cultural areas.