Will the New European Data Protection Reform Affect Us?
The European Commission voted in March, 2014, to strengthen privacy rights promised by the European Union’s 1995 Data Protection Directive. The reform will change the law from a Directive to a Regulation, meaning it will be directly applicable in all of Europe without the need to wait for national implementing legislation.
The regulation will apply to any personal data handled abroad by companies that are working with the European Union (EU) market and/or offer their services to EU citizens. That means companies need to be aware of this new update, as well as the risk of non-compliance and harsher penalties potentially imposed under law.
The reform will change the law from a Directive to a Regulation, meaning it will be directly applicable in all of Europe without the need to wait for national implementing legislation.
U.S. companies that conduct business in Europe need to ensure that they have a legitimate reason for transferring personal information within or outside of the EU. Personal information is any data concerning a person’s private, professional or public life. It may be a name, a photo, an email address, bank details; posts on social networks, medical information or even a computer’s IP address.
Assuming your company has a legitimate basis for processing and using personal data, the EU Data Protection Reform regulation sets out three avenues to make your data transfers legal:
- Certify compliance through the U.S. Department of Commerce Safe Harbor registration. The European Union still recognizes that Safe Harbor registration is compliant with the EU law. For more information, consult: http://www.export.gov/safeharbor/
- Have appropriate safeguards in place to protect personal data within your company, including for example binding corporate rules approved by EU data protection authorities.
- Complete data transfers in clearly defined, specific situations which necessitate the transfer; for example as part of a legal, tax or competition investigation.
To comply, companies will need to show that their data processing is legitimate, and that they consistently monitor, review and assess the data processing procedures in place. The aim is to minimize the retention of data and build in safeguards for processing activities.
Company leaders should ask themselves these questions:
- What information is to be collected and where?
- Why the information is being collected?
- What is the intended use of the information?
- With whom the information will be shared? Is it shared with Europe?
- Is there a collection of information IT system affecting people’s data in Europe?
- How will the information be secured? What security controls or auditing processes exist?
- Do individuals in the EU have an opportunity to decline to provide information or give consent?
And if that is not scary enough, penalties under the reform for data protection violations will rise significantly depending on the seriousness of the offense, whether it is a repeat offense, if it is intentional, and whether the violator is a company with processing data as its primary activity. Sanctions may involve:
- A simple warning for a first non-intentional offenses when only engaging in processing as an ancillary activity.
- Regular data protection audits.
- A fine of 5% percent of annual worldwide turnover for certain serious acts committed intentionally or negligently.
Banks Face New Threat
Banks have been caught off guard by what experts say is the first major mobile banking security threat to hit the United States.
It is a modification of the mobile Trojan called Svpeng, which has been used to steal money from Russian mobile bank accounts, said Dmitry Bestuzhev, head of global research and analysis team, Latin America, at Kaspersky Lab, a Woburn, Mass.-based antivirus software company that discovered the malware.
The malware, which emanates from Russia, has been termed “ransomware,” because the hackers demand a payment in exchange for not destroying the victim’s reputation, claiming there is child pornography and other prohibited content on the cell phone.
“Nobody wants to be a victim of such image reputation damage.” — Dmitry Bestuzhev, head of global research and analysis team, Latin America, at Kaspersky Lab.
“It takes a picture of the victim and then says it will send it with the child pornography findings to all of the victim’s contacts,” Bestuzhev said. “Nobody wants to be a victim of such image reputation damage.”
Cyber criminals are already taking steps to steal online banking credentials from mobile devices, Bestuzhev said.
Previous versions of Svpeng were used to steal money from several banks in Russia, by displaying a fake log-in window in front of the real one, which asked users to input their credentials.
This new malware is deeply integrated and is almost impossible to remove from an infected device, he added. His company found Svpeng through “proactive Internet exploring.”
Better software is needed to protect against malware, said Chris Keegan, a managing director at Beecher Carlson, in New York.
For now, banks rely on warning their customers against social engineering attempts by fraudsters, and usually that means, “Don’t press the button or answer the email.” Banks must warn their customers not to download any applications not found on the iPhone store, Google Play or other verified websites, he said.
Banks Ran Out of Time
Avivah Litan, a Gartner Inc. vice president and analyst in Potomac, Md., said the malware should serve as a wake-up call for many banks, as a fair number of them have not developed security measures for mobile banking that are as robust as those used in online banking.
Ensuring that customers use secured browsers doesn’t apply when they use mobile apps.
Giants like Chase Bank and U.S. Bank and others are developing tougher measures specific to mobile, but the industry has a whole need to step it up, Litan said.
“Everybody knew it was coming, but they thought they would have had more time.” – Avivah Litan, vice president, Gartner Inc.
“They’ve just been slow to put measures in place specific to mobile because there hasn’t been any mobile malware,” she said. “Everybody knew it was coming, but they thought they would have had more time. But now it’s here and they have to think about it now.”
Matt Krogstad, head of mobile banking at Bank of the West in San Francisco, said the bank’s fraud prevention department works with his department to combat mobile malware and other types of mobile banking fraud.
“It’s an ongoing process since the mobile security space is constantly evolving,” Krogstad said.
Bank of the West also tries to protect customers against unofficial third-party services that try to access apps or put themselves between the customer and the apps, after customers download them, he said.
Bank of the West also diligently educates customers about the latest threats, Krogstad said.In cases like Heartbleed, communications to customers were to reassure them that the bank had done its due diligence to ensurethat their accounts were safe.
“With other malware like this randomware, it’s more about reinforcing certain behaviors, such as not downloading apps from unofficial app stores or not clicking on links from people you don’t know,” he said. “Don’t jailbreak your phone or put your banking passwords in your contacts.”
Keeping up with all types of cyber crime continues to challenge the industry. Indeed, computer crime and malicious codes ranks as No. 5 as a top risk for banks, according to Aon’s 2014 U.S. Industry Report: Financial Institutions.
However, there is a disconnect at most banks that hampers risk mitigation, said Michael O’Connell, managing director, financial institutions practice at Aon Risk Solutions.
The disconnect occurs because one group traditionally is responsible for purchasing insurance, while another group is responsible for assessing exposures, including technology that may pose an operational enterprise risk, said O’Connell.
“We strongly recommend linking the two groups together, to assess ‘what-if scenarios’ and develop mitigation strategies that include insurance,” he said.
Kevin Kalinich, Aon’s global practice leader for cyber/network risk, said that recent court decisions have ruled that if fraudsters are able to steal customer identities or money, it is the bank’s obligation to help their customers, even if the fraud is out of the bank’s control.
“So if a customer gets fooled on their mobile devices, then the bank has the responsibility to monitor usage of their bank accounts,” Kalinich said.
Global Program Premium Allocation: Why It Matters More Than You Think
Ten years after starting her medium-sized Greek yogurt manufacturing and distribution business in Chicago, Nancy is looking to open new facilities in Frankfurt, Germany and Seoul, South Korea. She has determined the company needs to have separate insurance policies for each location. Enter “premium allocation,” the process through which insurance premiums, fees and other charges are properly allocated among participants and geographies.
Experts say that the ideal premium allocation strategy is about balance. On one hand, it needs to appropriately reflect the risk being insured. On the other, it must satisfy the client’s objectives, as well as those of regulators, local subsidiaries, insurers and brokers., Ensuring that premium allocation is done appropriately and on a timely basis can make a multinational program run much smoother for everyone.
At first blush, premium allocation for a global insurance program is hardly buzzworthy. But as with our expanding hypothetical company, accurate, equitable premium allocation is a critical starting point. All parties have a vested interest in seeing that the allocation is done correctly and efficiently.
“This rather prosaic topic affects everyone … brokers, clients and carriers. Many risk managers with global experience understand how critical it is to get the premium allocation right. But for those new to foreign markets, they may not understand the intricacies of why it matters.”
– Marty Scherzer, President of Global Risk Solutions, AIG
Basic goals of key players include:
- Buyer – corporate office: Wants to ensure that the organization is adequately covered while engineering an optimal financial structure. The optimized structure is dependent on balancing local regulatory, tax and market conditions while providing for the appropriate premium to cover the risk.
- Buyer – local offices: Needs to have justification that the internal allocations of the premium expense fairly represent the local office’s risk exposure.
- Broker: The resources that are assigned to manage the program in a local country need to be appropriately compensated. Their compensation is often determined by the premium allocated to their country. A premium allocation that does not effectively correlate to the needs of the local office has the potential to under- or over-compensate these resources.
- Insurer: Needs to satisfy regulators that oversee the insurer’s local insurance operations that the premiums are fair, reasonable and commensurate with the risks being covered.
According to Marty Scherzer, President of Global Risk Solutions at AIG, as globalization continues to drive U.S. companies of varying sizes to expand their markets beyond domestic borders, premium allocation “needs to be done appropriately and timely; delay or get it wrong and it could prove costly.”
“This rather prosaic topic affects everyone … brokers, clients and carriers,” Scherzer says. “Many risk managers with global experience understand how critical it is to get the premium allocation right. But for those new to foreign markets, they may not understand the intricacies of why it matters.”
There are four critical challenges that need to be balanced if an allocation is to satisfy all parties, he says:
Across the globe, tax rates for insurance premiums vary widely. While a company will want to structure allocations to attain its financial objectives, the methodology employed needs to be reasonable and appropriate in the eyes of the carrier, broker, insured and regulator. Similarly, and in conjunction with tax and transfer pricing considerations, companies need to make sure that their premiums properly reflect the risk in each country. Even companies with the best intentions to allocate premiums appropriately are facing greater scrutiny. To properly address this issue, Scherzer recommends that companies maintain a well documented and justifiable rationale for their premium allocation in the event of a regulatory inquiry.
Insurance regulators worldwide seek to ensure that the carriers in their countries have both the capital and the ability to pay losses. Accordingly, they don’t want a premium being allocated to their country to be too low relative to the corresponding level of risk.
Without accurate data, premium allocation can be difficult, at best. Choosing to allocate premium based on sales in a given country or in a given time period, for example, can work. But if you don’t have that data for every subsidiary in a given country, the allocation will not be accurate. The key to appropriately allocating premium is to gather the required data well in advance of the program’s inception and scrub it for accuracy.
When creating an optimal multinational insurance program, premium allocation needs to be done quickly, but accurately. Without careful attention and planning, the process can easily become derailed.
Scherzer compares it to getting a little bit off course at the beginning of a long journey. A small deviation at the outset will have a magnified effect later on, landing you even farther away from your intended destination.
Figuring it all out
AIG has created the award-winning Multinational Program Design Tool to help companies decide whether (and where) to place local policies. The tool uses information that covers more than 200 countries, and provides results after answers to a few basic questions.
This interactive tool — iPad and PC-ready — requires just 10-15 minutes to complete in one of four languages (English, Spanish, Chinese and Japanese). The tool evaluates user feedback on exposures, geographies, risk sensitivities, preferences and needs against AIG’s knowledge of local regulatory, business and market factors and trends to produce a detailed report that can be used in the next level of discussion with brokers and AIG on a global insurance strategy, including premium allocation.
“The hope is that decision-makers partner with their broker and carrier to get premium allocation done early, accurately and right the first time,” Scherzer says.
For more information about AIG and its award-winning application, visit aig.com/multinational.