The consequences of a corporate or business data breach can be catastrophic for companies of all sizes. The resulting damage to reputation, customers and profits is the tip of the iceberg.
Companies could pay the price of heavy fines imposed by new and strict regulations.
Because firewalls are no longer sufficient to protect data, companies must implement multiple levels of protection on each network endpoint to build their defenses and focus on compliance requirements.
The increase in cyber attacks has caused the birth of new and strict regulations on data security, of great importance for companies all over the world. New directives such as the General Data Protection Regulation (GDPR) of the European Union are not only important for companies based in the EU, but apply to all companies that collect data from European residents.
The GDPR legislation informs companies of the presence of important sanctions in the event of non-compliance following an attack. These sanctions add to the economic loss caused by the data breach itself.
By collecting data, companies must comply with compliance regulations. This also includes subjects who purchase goods and services and monitor customer habits for the purpose of using such data. For example, any online monitoring of activities aimed at improving the identification of the ideal customer. Even if your business takes place beyond the EU borders, all devices that access customer data must be secure.
Meeting the requirements on document retention, conducting impact assessments and processing reports related to violations is time-consuming. The addition of a new device to a corporate network determines compliance with the corporate criteria and monitoring by a SIEM (Systems Information and Event Manager) tool that keeps track of critical issues, activates recovery procedures and supports the processing of compliance reports.
Companies must provide notification of a violation to the data protection association without unjustified delay, if possible within 72 hours. If this term is not respected, a justified reason must be given. This new requirement was introduced in order to protect the rights of individuals to be informed about how their personal data are used and to understand whether companies that store such data have procedures, tools and products suitable for monitoring and identifying risks, as well as block any attacks in order to protect customer data.
The new legislation introduces a multi-level approach to the sanctioning system that will be regulated by the gravity of the infringement. The maximum fine to be paid could be around 4% of the company's annual turnover, up to the amount of 20 million euros. As mentioned for some countries, eg Netherlands, even heavier penalties have been introduced, up to 11% of annual turnover.