When a company suffers a data breach, it is often difficult to quantify the totality of the damage. But one measurable impact can be the fines against them. There are numerous ways that an organization can open themselves up to financial penalties for their security weaknesses, and some of the country’s most recognizable brands have faced the consequences for violating these policies.
The top risks are as follows:
In 2014, Yahoo was attacked by hackers who made off with half a billion users’ PII, including usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers. However, their investors, let alone their users, didn’t find out about this breach until nearly two years later. Given that the United States mandates that a company must notify affected parties of a data breach within 60 days, or shorter, depending on state’s laws, this was well beyond the window of compliance. As a result,
A judge ruled this month that The University of Texas MD Anderson Cancer Center (MD Anderson) must pay $4.3 million for its failure to comply HIPAA’s Privacy and Security Rules in three separate data breaches, two of which were as a result of accidental exposures. Despite having begun to implement an encryption program in 2011, MD Anderson did not reach full encryption until 2013. As a result, their penalty includes $2,000 for each day MD Anderson wasn’t compliant between March 24, 2011 and January 25, 2013, as well as a $1.5 million fine each year for its noncompliance in both 2012 and 2013.
This blog is part one of our Breach 101: Cost of Non-Compliance blog series. In our next post, we will explore the cost of Legal Fees. To read the introduction, click here.
Companies have a stake in your privacy – and regulatory fines are just
Selecting a team of security partners is the first step towards long-lasting protection for your company, and your customers. Choose experts that not only help you prevent security issues before they happen, but also consider partners that can look for vulnerabilities or even evidence that your data has already been breached. In an ideal world, a breach never occurs. But in this new GDPR era, it can be invaluable to understand from the first minute what data has been compromised. This insight not only has the power to make the notification process quicker, but also more accurate.
Recent Blog Entries
Social MediaTweets by 4iQDelveDeep