The proposed new European Union data protection rules will impose onerous burdens on information security professionals, but they may also help get the board’s proper attention.
Company boards have traditionally viewed security as a grudge purchase, much like insurance, but the threat of significant fines for data breaches could change all that.
While the maximum penalty of £500,000 that the Information Commissioner’s Office can impose has been widely dismissed as inadequate, the new EU rules allow for fines of up to up to €1 million or up to 2% of annual worldwide turnover.
This is more likely to get the attention of decision makers, says Eduardo Ustaran, partner at legal firm Field Fisher Waterhouse.
This new rule will change the economics of security, says Bruce Green, chief operating Officer at web and email security company, M86 Security.
The cost of compliance compared to the financial risk of a breach will now fall firmly in favour of security for global enterprises, he says.
Green believes this will have the positive effect of making information security a discussion for the boardroom, not just the domain of compliance specialists and privacy officers.
While the new rules may not be as business friendly as EU Justice Commissioner Viviane Reding claims, not only will they force many businesses to review their data defences, they will help provide the business case for the information security professionals responsible for achieving compliance.
Despite the initial criticism of the proposed new EU data protection from various quarters, at the very least they will help drive a new wave of awareness and innovation in information protection and cyber security, which can only be a good thing.