As digitisation keeps on growing, cyberattacks have become more sophisticated and widespread. In the first quarter of 2023, 6.41 million data records were leaked, impacting millions of people.[1] A data breach is one of the biggest risks facing modern organisations. Fortunately, global legislations are striving to keep these threats at bay.
71% of countries worldwide have data legislation.[2] There’s a strong surge globally to protect businesses and individuals from cyber-attacks and punish those who breach the rules. But how effective is cyber security legislation proving to be? Looking at examples in different regions, the new regulations are having a positive impact and changing the way businesses handle data.
GDPR (General Data Protection) – EU
The General Data Protection Regulation (GDPR) governs how the use of personal data in the EU may be processed and transferred. It’s one of the biggest changes to European privacy law that came into effect in May 2018.
Transparency is a core part of the GDRP’s policy, which means companies need to be open and honest about collecting information from visitors. For example, companies must notify visitors of any data collected and inform their supervisory authority of a data breach within 72 hours.
Before GDPR came into effect, companies would often collect as much data as possible, but now they must have the user’s explicit consent. The cybersecurity implications of this are that users have greater control over their data and greater awareness of which parties have access to their personal information.
Penalties and effectiveness
Furthermore, GDPR has built a strong reputation for its huge fines. Many companies like Google, Amazon, Meta and many smaller organisations have been sanctioned by GDPR, which sets a maximum fine of €20 million or 4% of a company’s annual global turnover. The largest fine ever imposed was against Google in May 2022 where the company was fined 10 million for illegal data processing.[3] These fines serve as a deterrent and ensure companies make cybersecurity a priority.
GDPR is at the forefront of data protection and has proven effective at imposing penalties. Since 2018, it has issued over 1,600 fines to companies for data breaches.[4] GDPDR has been widely considered to be successful because it has “strengthened, modernised and harmonised data protection across the EU.” [5]
Data Protection and Digital Information Bill – UK
The Data Protection and Digital Information Bill is a framework for the UK that updates the Data Protection Act that was introduced in 2018. Some of these changes include alterations to the Subject Access Request, which gives people the right to ask companies what information they’ve stored about them. The bill remains important because it provides a secure, data protection regime for people living in the UK.
Under the bill, there’s a new framework called the Digital Verification Service or DVS, which aims to keep accounts secure. It allows people to create a digital identity easily from the comfort of their own homes. Digital IDs are more efficient and provide stronger protection against fraud, and there’s minimal data collection which reduces the risk of breaches.[6]
Penalties and effectiveness
There were several high-profile data breaches before 2018, such as the series of NHS beaches between June 2011 and July 2012, which impacted over 1.8 million health and employee records. It’s incidents like this that show just how important UK data protections laws are for the ensuring people’s safety.[7]
The effectiveness of the Data Protection and Digital Information Bill could arguably be seen in the decrease of reported data breaches. 39% of small businesses and 30% of charities reported a decrease of data breaches in 2022.[8] Much like GDPR, the Data Protection and Digital Information Bill imposes heavy fines. For example, breaches of the Privacy and Electronic Communications Regulations (PECR), results in a fine of 4% of global turnover or £17.5 million.
Gram-Leach-Bliley Act – USA
There are several long-standing data legislations, and the Gram-Leach-Bliley Act is one of the most well-known. Passed in 1999, the GLBA governs the treatment of personally identifiable information in the US. The law requires banks and financial institutions to explain how they share their customers’ information between different parties. Updates to the Act were made in 2023[9], but its core purpose remains the same: it’s intended to maintain the integrity of private records and data.
Considering the US is one of the most targeted nations for data breaches, following the GLBA is essential for keeping information in safe hands. Research has shown that more than 1,000 US organisations reported data compromises in Q3 2023[10], which is another reason why compliance is so important. There’s also the need to comply with the safeguard rule, a key part of the GLBA that mandates financial companies to implement security measures for data.
Penalties and effectiveness
Again, the fines are severe and failure to comply means penalties of up to $100,000 per violation under the safeguard rules. PayPal’s peer-to-peer payment service Venmo is a notable example of non-compliance and GBLA’s effectiveness. In 2018, the service allegedly violated the GLBA for failing to disclose customer transactions.[11] The result was that PayPal was required to pay $175,000 to the state of Texas to settle the GBLA violation. Other examples include Equifix, Inc who agreed to a settlement between $575 million and $700 million after allegations of network failures.[12]
Setting new standards with legislation
There’s much evidence to suggest that cybersecurity legislation is having its desired effect. About 60% of leaders from private organisations feel that cyber security and piracy regulation reduces risk in their company’s ecosystem.[13] While legislation is essential for setting standards for cyber security behaviour, there’s more work to be done to improve data security even further. Ultimately, the best line of defence is to make sure data is protected in the form of robust encryption. That way, organisations can safeguard themselves from any high-profile breaches.
Now’s the time to take preventative action against cybercrime. Do Get in touch with the team at Senetas for a chat about the different encryption options we have available.
[1] Data breaches worldwide | Statista
[2] Data Protection and Privacy Legislation Worldwide | UNCTAD
[3] Highest GDPR violation fines Spain 2024 | Statista
[4] GDPR turns five: Has it positively changed the landscape of Data Protection? – Business Leader
[5] EDPB: Application of the GDPR successful, but sufficient resources are necessary to tackle the challenges of the future | European Data Protection Board (europa.eu)
[6] Understanding the Data Protection and Digital Information Bill · Yoti
[7] Biggest Data Breaches in the UK [Updated 2024] | UpGuard
[8] Cyber security breaches survey 2023 – GOV.UK (www.gov.uk)
[9] Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements | Knowledge Center
[10] https://www.idtheftcenter.org/post/q3-2023-data-breach-report-itrc-reports-data-compromise-record-with-three-months-left-in-year/
[11] FTC Announces Settlement with PayPal for Alleged FTC Act and GLBA Violations by Venmo | The Data Advisor (wsgrdataadvisor.com)
[12] Equifax, Inc. | Federal Trade Commission (ftc.gov)
[13] WEF_Global_Cybersecurity_Outlook_2024.pdf (weforum.org)