Data Breach Fines: Are They Working to Boost Consumer Safety?

Threat Post, November 7, 2019, with comments by Willy Leichter

Organizations have paid trillions in breach fines, yet the count of compromised companies, data and people keeps rising

As data breaches continue to be a daily event, security experts and executives are looking for ways to stop the trend. In the past five years, breaches have shot up to the detriment of organizations and humans. In 2019, 3,800 breaches have occurred so far, 50% higher than the last four years. The problem seems to be worsening as companies place increasing amounts of data in the cloud.

People have had untold quantities of highly personal information stolen – banking information, healthcare records, personal residence addresses, emails, phone numbers, photos and customer profile info. The organizations that harbored the stolen data are on the hook for fines, lawsuits, recovery costs, reputational damage and so on.

Data Privacy Regulations Are Levying Higher and Higher Penalties

New laws currently in place such as the General Data Protection Regulation (GDPR) have dished out huge fines against companies. IAG, the owner of British Airways, received a $230 million fine from UK regulators for the British Airways 2018 data breach. (See our article British Airways breach will show us the first serious GPDR penalty.) Equifax agreed to a fine of $575 million from the FTC for its now infamous data breach in September 2017 (See our article FTC Fines Equifax up to $700M for 2017 Data Breach.) And Google also has faced a GDPR penalty of $57 million for how it mishandled user data collection and use. Additional tech giants may face a similar situation (Facebook already has and stands to face more.) See our article Five Tech Giants – Facebook, Twitter, Apple, LinkedIn, Google – Face Investigations for Possibly Violating European Privacy Laws.)

A new law in California – the California Consumer Privacy Act – coming effective January 1, 2020 will enforce similarly strict fines and consequences as well. Most if not all US States have some form of data privacy laws, but not as strong as California’s new law. But stricter laws are expected to follow in Calfiornia’s wake. Still, organizations that face data breach penalties face fines and fees from multiple entities – including the GDPR and any of the 50 states if they were affected. Equifax is paying up to 48 out of 50 states plus Washington D.C. and Puerto Rico.

Will These Hefty Fines Improve the Data Breach Situation?

People have differing opinions as to whether any of these consequential fines are making a difference in motivating companies to ramp up their security defenses to prevent breach occurrences. Some experts say shelling out billons of dollars in fines is making companies increasingly diligent in protecting their data. Others say the problem is too complex to be addressed simply by assessing fines and fees. It would seem by the sheer rising volume of data breaches and people impacted that the latter is truer than the former. Some companies like Facebook who have been repeatedly fined continue to have breaches.

One positive impact of these fines though is other companies not yet struck by a significant breach, having watched peers and competitors get hit by them, can only be sobered and worried by watching it happen again and again. Executives are more motivated than ever to keep their own logos out of the spotlight.

Penalty fees come on top of recovery fees, customer relation fees, lawsuits, loss of business, stock hits and the list goes on. By the time it’s done – if it’s every completely done – the costs can be staggering to the point of placing smaller sized companies in serious jeopardy. According to a 2016 Ponemon Institute Report, costs can add up to $158 per record breached. If a company has just 5 million records breached, that’s $790 million.

Are Any Products Helping to Stem the Data Breach Tide?

Even amidst all the publicity surrounding data breaches, employees continue to fall for the same hackers’ tricks, especially phishing emails. Security staff also frequently misconfigure servers, leaving data exposed without realizing it. Often, patches for known vulnerabilities are not implemented in a timely manner or sometimes not at all. All this contributes to the reality that only a small percentage of data breaches happen due to technical exploits. The vast majority – over 95% – involve and even rely on human error. In other words, hackers are more often successful at hacking humans than machines.

Because of this, organizations are implementing security solutions that confirm identity such as authentication and access management. But those alone are not enough to reverse the current trend.

“This is an eternal game of ‘whack-a-mole’ and too much attention is focused on specific perpetrators,” said Willy Leichter, vice president with Virsec. “The most sophisticated threats are coming from outside the US, and hacker groups are constantly changing and morphing into new threats. Law enforcement will never put an end to cyberattacks.”

Read Data Breach Fines: Are They Working to Boost Consumer Safety? article.

Further resources:

Analyst Report: A New Approach to Runtime Application Security

British Airways breach will show us the first serious GPDR penalty

Prediction Series #8: GDPR Breach Disclosure Mandate Is Now Global & Must Be Timely

FTC Fines Equifax up to $700M for 2017 Data Breach

Less Than 100 Days Till A New California Privacy Law Goes into Effect

Five Tech Giants – Facebook, Twitter, Apple, LinkedIn, Google – Face Investigations for Possibly Violating European Privacy Laws

The post Data Breach Fines: Are They Working to Boost Consumer Safety? appeared first on Virsec Systems.

*** This is a Security Bloggers Network syndicated blog from Blog – Virsec Systems authored by Michelle Netten. Read the original post at: https://virsec.com/data-breach-fines-are-they-working-to-boost-consumer-safety/