If you thought that data breaches were already expensive – what with the manpower and resources needed to issue breach notifications, offer compensatory protection services such as free identity theft protection, identify the source of leaks and tighten up security, and bolster marketing efforts to hang on to customer loyalty – add a new line item to the list.
Fines.
In an effort to make data breaches even more unpalatable and motivate companies to strengthen their security practices, the Federal Trade Commission is beginning to levy punishments for security holes that invite intrusions. For example, the FTC recently settled with two companies, a payroll and HR firm and an immigration law services firm, both of which maintain a great deal of sensitive information about the employees of their business customers, including Social Security numbers. The organizations were charged with violating federal law by failing to provide reasonable and appropriate measures to protect sensitive data, in spite of the fact that the companies advertised their security measures with claims such as “worry-free safety and reliability.” As part of the settlements, each firm is required to obtain comprehensive information security programs and independent security audits every other year for 20 years.
Taking a cue from this new practice in the U.S. and other countries, and asserting her deep concern with the large number of recent breaches, Canada’s privacy commissioner also wants to start implementing hefty “attention-getting fines” against firms that have allowed customer data to be compromised through preventable data breaches.
This decision followed news that Canadian lawyers have announced a $1 billion class-action lawsuit as a response to two massive Sony PlayStation Network breaches that exposed the information of 102 million customers. A U.S. House of Representatives subcommittee is also demanding answers from Sony about the circumstances surrounding these breaches and has scheduled a hearing to address the “threat of data theft to American customers.”
Not all security experts think that punitive measures towards breached organizations help protect customers from data theft, noting that it is akin to fining a store after it has been robbed. In fact, some think that fines have the opposite effect by deterring companies from reporting data breach incidents in the first place.
As they say, the best defense is a good offense. Protect your organization from the threat of breaches and expensive regulatory punishments by ensuring that you have a strong and defensible security program in place.