When customers buy from and interact with brands, they naturally want their data and communications to be secure – but sometimes that isn’t always the case.
As outlined in our Practitioner’s introduction to data security, The Identity Theft Resource Center (ITRC) recorded 3,205 data compromises in the US in 2023, which affected 353 million individuals. Since 2021, the number of data incidents has increased 71 percent.
The situation in the European Union (EU), is much the same. There, more than 2.5 billion records were stolen in cyberattacks between November 2023 and April 2024.
In October 2024, the EU’s Network and Information Security Directive (NIS2) came into effect, broadening the scope of cybersecurity obligations for public and private sector organizations, and a wide range of technology providers.
CX Network caught up with cyber security and compliance expert Jonathan Armstrong, partner at Punter Southall Law, to find out what CX needs to know, the legal risks of non-compliance and his 10-step plan to ensure the safety of customer data.
CX Network: What is the EU’s Information Security Directive (NIS2) and what do businesses need to know about it?
Jonathan Armstrong: NIS2 is effectively an upgrade for EU cybersecurity law. The aim is to increase cybersecurity for critical national infrastructure but that’s now got a much wider definition, for example it covers businesses involved in things like digital infrastructure, energy, transport, banking, financial markets infrastructure health, water, public administration, ICT service management, space, postal and courier services, waste management, chemicals, food retail, manufacturing and research.
Businesses need to know about the requirements the law imposes on them and especially their obligations to report data breaches. They might also need to register too if they do business in the EU.
CX Network: How does NIS2 compare to data protection regulations in other markets, such as the US?
Jonathan Armstrong: There is a fairly complex set of laws and regulations in other markets including the UK, the US and Japan, and countries are bringing in new laws almost every week.
It’s part of a global trend by governments to make their country’s infrastructure more secure, particularly with the rise in state sponsored attacks on systems.
CX Network: What steps have businesses been taking in preparation for NIS2 coming into force on 19 October 2024?
Jonathan Armstrong: Many businesses are already past the gap analysis stage. They’ve looked at their registration obligations and they have looked at how they would report an incident. The best businesses have rehearsed an incident too, so that they know who their team will be, how they will cope and who they will report to. Training is very important and is mandatory for members of the management body.
CX Network: Data security isn’t usually a CX topic, but CX Network’s own research has found that 55 percent of practitioners strongly agree that data privacy and security is becoming more important to customers. Elsewhere in the same research, 31 percent of practitioners said demand for data and communications security is a top customer behavior at present. What can organizations do to ensure customer data is safe and therefore earn and keep customer trust?
Jonathan Armstrong: To ensure that customer data is safe it’s wise to look at your technical and organizational measures – we call these TOMs – what is the technology you use to protect data? Are people with access to the data properly trained? Are your systems up to scratch? Can you respond to threats quickly even outside office hours?
The CX Network research is interesting and it confirms what we’re seeing; that data security can bring competitive advantage and it certainly increases the value of an organization if it goes through a sale or fundraising process.
Good data security can help with staff retention, too.
CX Network: What are the legal risks of non-compliance with NIS2?
Jonathan Armstrong: NIS2 brings a range of penalties including the possibility of fines of €10 million or two percent of total worldwide annual turnover of the undertaking to which the entity belongs, whichever amount is higher. There are also personal liability provisions, so action could be taken against senior members of staff and members of management bodies. And as ever, any action under NIS2 is also likely to lead to reputational damage.
CX Network: What are some of the basic data security steps organizations in all markets should be taking to ensure data collection is limited to the necessary, and the data that is collected is safe?
Jonathan Armstrong: We have a 10-point plan which we walk clients through:
- Work out the services you offer and the likely NIS2 impact.
- Look at your processes and procedures: Most organizations now have a data breach reporting procedure to meet GDPR reporting deadlines. NIS2 reporting obligations have tighter time limits, can be wider in nature and be subject to different regulators. Make sure that your procedures reflect this. While doing this review, you may also want to review any additional reporting requirements, for example, those under DORA, or the EU AI Act.
- Train your people.
- Look at your response team.
- Rehearse incidents: Our experience shows us organizations that regularly rehearse cybersecurity incidents handle them more effectively.
- Look at and amend supplier contracts.
- Look at the technical and organizational measures (TOMs) you deploy to try to keep your organization secure.
- Tell the board and audit committee about any increased liability, and make sure you have people on the board who understand NIS2 and cybersecurity risk more generally.
- Update your risk register.
- Consider the impact of personal liability provisions.