July 19, 2018

The Cost of Non-Compliance: When the Fines Add Up

Welcome to Part 1 of our Breach 101 Blog Series:
The Cost of Non-Compliance: When the Fines Add Up

When a company suffers a data breach, it is often difficult to quantify the totality of the damage. But one measurable impact can be the fines against them. There are numerous ways that an organization can open themselves up to financial penalties for their security weaknesses, and some of the country’s most recognizable brands have faced the consequences for violating these policies.

The top risks are as follows:

Failure to Disclose

In 2014, Yahoo was attacked by hackers who made off with half a billion users’ PII, including usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers. However, their investors, let alone their users, didn’t find out about this breach until nearly two years later. Given that the United States mandates that a company must notify affected parties of a data breach within 60 days, or shorter, depending on state’s laws, this was well beyond the window of compliance. As a result, the SEC mandated that Altaba, Yahoo’s holding company, pay a $35 million fine for withholding information. There has also been precedent for state Attorney Generals to leverage additional fines.

HIPAA Violations

A judge ruled this month that The University of Texas MD Anderson Cancer Center (MD Anderson) must pay $4.3 million for its failure to comply HIPAA’s Privacy and Security Rules in three separate data breaches, two of which were as a result of accidental exposures. Despite having begun to implement an encryption program in 2011, MD Anderson did not reach full encryption until 2013. As a result, their penalty includes $2,000 for each day MD Anderson wasn’t compliant between March 24, 2011 and January 25, 2013, as well as a $1.5 million fine each year for its noncompliance in both 2012 and 2013.

GDPR Non-Compliance

Within hours of GDPR going into effect, Google, Facebook, Instagram, and WhatsApp have been hit with complaints from a privacy advocacy group that could carry fines up to $9.3 billion total. The group alleges that these four companies are employing a “take it or leave it” approach to privacies by forcing users to submit to intrusive terms of use. As full GDPR compliance has only been mandatory since late May, there haven’t been any fines issued that could provide insight into the actual financial risk facing companies. However, if this complaint comes to fruition, it will set a high precedent for how the EU expects their internet users to be treated. For instance, it is estimated that the aforementioned Yahoo breach would have resulted in fines of $80-160 million.

This blog is part one of our Breach 101: Cost of Non-Compliance blog series. In our next post, we will explore the cost of Legal Fees. To read the introduction, click here.

Big fines from non-compliance

Takeaways for individuals:

Companies have a stake in your privacy – and regulatory fines are just one risk they face. Along with the financial ramifications of the lofty fines, they also risk losing customers and the standing of their reputation. Stay vigilant when monitoring your personal accounts and be sure to alert the companies you partner or due business with when you notice suspicious activity.

Takeaways for Companies:

Selecting a team of security partners is the first step towards long-lasting protection for your company, and your customers. Choose experts that not only help you prevent security issues before they happen, but also consider partners that can look for vulnerabilities or even evidence that your data has already been breached. In an ideal world, a breach never occurs. But in this new GDPR era, it can be invaluable to understand from the first minute what data has been compromised. This insight not only has the power to make the notification process quicker, but also more accurate.