Critical infrastructure firms could be fined twice under GDPR and the new NIS Directive for the same data breach, said Dr Kuan Hon, Director of privacy and information at Fieldfisher when speaking at the Computing’s Cloud & Infrastructure Live! event.
The new NIS Directive is aimed at securing critical infrastructure firms such as those in electricity, water, energy transport, and health sectors from cyber attacks or data exfiltration attempts.
The Directive incentivises operators who take adequate measures to deter cyber attacks, assess security risks effectively and engage with competent authorities, while imposing penalties on those who do not take adequate measures to prevent such attacks. It only covers the loss of service as a result of cyber attacks instead of loss of data and is part of the government’s £1.9 billion National Cyber Security Strategy.
GDPR and NIS Directive applicable to critical infrastructure breach
According to Dr Kuan Hon, who is also a Volunteer at the ICO, critical infrastructure firms could be fined under both GDPR and the NIS Directive for the same incident if they are unable to prevent such attacks or if authorities determine that such firms did not take adequate steps to detect or prevent attacks.
“Under the NIS Directive, this is a really, really broad definition. Basically, it’s any connected device; any network; and any data that’s associated with those. The UK government does know that there’s this possible double jeopardy, but that is the way it is. They are separate and different, but they have to be considered together.
“People have tried to raise this argument with the government before, and [the government] says, ‘They’re for two different purposes: the GDPR is to protect personal data and individuals; the NIS Directive is to protect the security of networks and information systems’.
“There is wording [in NIS] saying ‘Try to take account of fines and penalties under other legislation’, so hopefully the regulators will talk to each other and have a consistent view about who’s going to be applying the fine; but theoretically, yes, you could have a sort of double-whammy,” she said.
What Dr Hon summarised is that even if a critical infrastructure firm faces action under both GDPR and the NIS Directive for suffering the same cyber incident, the resulting penalty imposed on it would not necessarily be a ‘1+1’ thing but could be an average of likely penalties imposed under both laws.
Agreeing with Dr Hon’s assessment, Tim Erlin, VP at Tripwire, said that the concept of both GDPR and NIS Directive to be at play in an incident is a real possibility and the risk of paying multiple fines is very real.
“If both GDPR and the NIS directive are applicable, there will be people behind any decisions on how to levy fines. It’s nearly impossible to know how those decisions will hypothetically fall without real circumstances to consider.
“Of course, the objective of these types of regulation isn’t punishment. Regulatory tools are intended to motivate better behavior through the threat of meaningful financial impact. Too much or too little impact will make a regulation ineffective,” he added.
Mayur Upadhyaya, Managing Director, EMEA at Janrain, said that even though GDPR and NIS Directive have different intents and the government has said that firms won’t be subjected to double jeopardy, repeat offenders to those that flagrantly ignore remediation advice might be at risk of being fined by both regimes.
“It is possible that a company could be found in violation of both GDPR and the NIS Directive as the result of a single incident. However, the NIS Directive is primarily focused on continuity of operations whereas GDPR is primarily about privacy,” says Ross Rustici, senior director of intelligence services at Cybereason.
“For a company to find itself in the crosshairs of both regulations, the company would have to have has a major interruption to service while having EU citizen data compromised. And again, possible, but not highly likely outside of a couple of sectors such as healthcare or banking,” he adds.