[BreachExchange] Data Breach Fines: Are They Working to Boost Consumer Safety?

Destry Winant destry at riskbasedsecurity.com
Wed Nov 13 10:13:40 EST 2019


https://securityboulevard.com/2019/11/data-breach-fines-are-they-working-to-boost-consumer-safety/

As data breaches continue to be a daily event, security experts and
executives are looking for ways to stop the trend. In the past five
years, breaches have shot up to the detriment of organizations and
humans. In 2019, 3,800 breaches have occurred so far, 50% higher than
the last four years. The problem seems to be worsening as companies
place increasing amounts of data in the cloud.

People have had untold quantities of highly personal information
stolen – banking information, healthcare records, personal residence
addresses, emails, phone numbers, photos and customer profile info.
The organizations that harbored the stolen data are on the hook for
fines, lawsuits, recovery costs, reputational damage and so on.

Data Privacy Regulations Are Levying Higher and Higher Penalties

New laws currently in place such as the General Data Protection
Regulation (GDPR) have dished out huge fines against companies. IAG,
the owner of British Airways, received a $230 million fine from UK
regulators for the British Airways 2018 data breach. (See our article
British Airways breach will show us the first serious GPDR penalty.)
Equifax agreed to a fine of $575 million from the FTC for its now
infamous data breach in September 2017 (See our article FTC Fines
Equifax up to $700M for 2017 Data Breach.) And Google also has faced a
GDPR penalty of $57 million for how it mishandled user data collection
and use. Additional tech giants may face a similar situation (Facebook
already has and stands to face more.) See our article Five Tech Giants
– Facebook, Twitter, Apple, LinkedIn, Google – Face Investigations for
Possibly Violating European Privacy Laws.)

A new law in California – the California Consumer Privacy Act – coming
effective January 1, 2020 will enforce similarly strict fines and
consequences as well. Most if not all US States have some form of data
privacy laws, but not as strong as California’s new law. But stricter
laws are expected to follow in Calfiornia’s wake. Still, organizations
that face data breach penalties face fines and fees from multiple
entities – including the GDPR and any of the 50 states if they were
affected. Equifax is paying up to 48 out of 50 states plus Washington
D.C. and Puerto Rico.

Will These Hefty Fines Improve the Data Breach Situation?

People have differing opinions as to whether any of these
consequential fines are making a difference in motivating companies to
ramp up their security defenses to prevent breach occurrences. Some
experts say shelling out billons of dollars in fines is making
companies increasingly diligent in protecting their data. Others say
the problem is too complex to be addressed simply by assessing fines
and fees. It would seem by the sheer rising volume of data breaches
and people impacted that the latter is truer than the former. Some
companies like Facebook who have been repeatedly fined continue to
have breaches.

One positive impact of these fines though is other companies not yet
struck by a significant breach, having watched peers and competitors
get hit by them, can only be sobered and worried by watching it happen
again and again. Executives are more motivated than ever to keep their
own logos out of the spotlight.

Penalty fees come on top of recovery fees, customer relation fees,
lawsuits, loss of business, stock hits and the list goes on. By the
time it’s done – if it’s every completely done – the costs can be
staggering to the point of placing smaller sized companies in serious
jeopardy. According to a 2016 Ponemon Institute Report, costs can add
up to $158 per record breached. If a company has just 5 million
records breached, that’s $790 million.

Are Any Products Helping to Stem the Data Breach Tide?

Even amidst all the publicity surrounding data breaches, employees
continue to fall for the same hackers’ tricks, especially phishing
emails. Security staff also frequently misconfigure servers, leaving
data exposed without realizing it. Often, patches for known
vulnerabilities are not implemented in a timely manner or sometimes
not at all. All this contributes to the reality that only a small
percentage of data breaches happen due to technical exploits. The vast
majority – over 95% – involve and even rely on human error. In other
words, hackers are more often successful at hacking humans than
machines.

Because of this, organizations are implementing security solutions
that confirm identity such as authentication and access management.
But those alone are not enough to reverse the current trend.

“This is an eternal game of ‘whack-a-mole’ and too much attention is
focused on specific perpetrators,” said Willy Leichter, vice president
with Virsec. “The most sophisticated threats are coming from outside
the US, and hacker groups are constantly changing and morphing into
new threats. Law enforcement will never put an end to cyberattacks.”


More information about the BreachExchange mailing list