You could be fined twice for the same breach under GDPR and NIS
Critical infrastructure providers could be hit with a double penalty for a data breach where new EU laws coincide
Companies could end up paying twice for the same data breach under new EU regulations, delegates heard at Computing's Cloud & Infrastructure Live! event last week - with the potential fines reaching as high as £34 million.
Dr Kuan Hon of Fieldfisher drew parallels between the new Networking and Infrastructure Security (NIS) Directive and the General Data Protection Regulation (GDPR), both of which are designed to encourage cyber defence.
While the GDPR is aimed at protecting peoples' personal data, NIS is built around protecting the security of information systems at critical infrastructure providers. The definition includes providers of energy, water, transport, health and digital infrastructure: that can mean cloud providers, search engines and online marketplaces like eBay.
Hon explained that the Directive regulates two main types of services:
- critical infrastructure ("essential services"), including digital infrastructure
- digital services - with a lighter touch than critical infrastructure.
Digital services in this case include cloud, online marketplaces and search engines.
Digital infrastructure, which is a subset of critical infrastructure, has a very specific meaning - it's limited only to IXPs, DNS service providers, and TLD name registries (I spelt that out in a previous draft of my slides but then cut it out as I thought I wouldn't have time to go into that!). The Directive is tougher on digital infrastructure than on digital services.
"Under the NIS Directive, this is a really, really broad definition," said Hon. "Basically, it's any connected device; any network; and any data that's associated with those."
If a provider's network is breached and contains personal data, that opens up the possibility of penalties under both regulations - and each carries a maximum fine of £17 million.
"The UK government does know that there's this possible double jeopardy, but that is the way it is. They are separate and different, but they have to be considered together."
Answering an audience question about government awareness of the crossover, Hon said:
"People have tried to raise this argument with the government before, and [the government] says, ‘They're for two different purposes: the GDPR is to protect personal data and individuals; the NIS Directive is to protect the security of networks and information systems'.
"There is wording [in NIS] saying ‘Try to take account of fines and penalties under other legislation', so hopefully the regulators will talk to each other and have a consistent view about who's going to be applying the fine; but theoretically, yes, you could have a sort of double-whammy."
IT security failings are, increasingly, costing CIOs and CEOs their jobs. With business utterly dependent on IT, it's not enough for senior executives to dismiss security as ‘techie stuff'. At Computing's Enterprise Security & Risk Management Live event, hear from the National Crime Agency, ex-hackers and big-business CISOs to learn about how they are tackling cyber security. For more information, check out the dedicated event website. Attendance is FREE to IT leaders and senior IT pros.