Most companies understand that a data breach is one of the most potentially damaging events that could occur in the business world. Yet, in 2017, it seems that many still underestimate just how crippling data breach fines in the United States can be.
In fact, in the health industry alone, the 1996 Health Insurance Portability and Accountability Act (HIPAA), which deals with the security and protection of medical information, has imposed more than $60 million in penalties and fines since its inception.
Compliance Online reported that, despite the huge levels of penalties that have already been applied, more than 120 million people were affected by medical data breaches in 2015 alone. As a result, HIPAA are now enforcing even more stringent penalties and fines than ever before.
And this is just the health industry. Data breaches are becoming of greater concern among corporation in every sector of the United States economy, leading to regulatory bodies imposing crippling data breach fines in 2017 and beyond.
The Extent of Data Breach Fines in The United States
The Ponemon Institute recently released its 2017 Cost of Data Breach Study, its “12th annual benchmark study on the cost of data breach incidents for companies located in the United States,” which shed light on the situation facing United States corporation in 2017 compared to previous years.
In summary, the study found that the impact of data breaches the United States continues to rise, with the average total cost to a United States organization of a data breach increasing from $7.01 million 2016 to $7.35 million in 2017.
As Business Insider noted, regulatory fines make up a significant proportion of the costs to a corporation following a data breach. In addition to HIPAA, which regulates breaches of medical data, a corporation in the United States would potentially face fines from one or more regulatory agencies, including the Payment Card Industry Data Security Standard, Health and Human Services, Federal Trade Commission, and the Federal Communications Commission.
The Ponemon Institute included regulatory fines under its “post data breach costs” section, along with legal expenditures and special investigative activities, among others. The study found that post data breach costs came in at $1.56 million in the 2017 study, a slight decrease from $1.72 million in 2016. The Institute attributed the decrease to higher reliance on the purchase of cyber and data breach insurance, which somewhat offset increased regulatory fines.
Data Breach Rules in Your State
Data breach laws and regulations differ from state to state in several regards, including whether organizations are required to notify individuals who could potentially be affected by a breach, along with the exact definition of a data breach, the extent of personal information that must be revealed to constitute a breach, and guidelines as to the types of corporations and organizations that are subject to the laws and regulations.
The National Conference of State Legislatures (NCSL) provides a useful reference to find out the applicable data breach laws and regulations in each US state.
Avoiding Data Breach Fines
For some industries in particular, it may seem as if a data breach is all but inevitable. Indeed, many agree that United States corporations are at disadvantage while trying to defend themselves against data breaches.
On the other hand, there are steps that every organization can take to increase their preparedness for a potential data breach: steps which could potentially avoid a data breach – and its correspondingly heavy regulatory fines – that seems otherwise imminent.
Prepare for An International Breach
Interestingly, one of the top tips for United States corporations to avoid a data breach is for corporations to prepare themselves for an international breach as much as they prepare themselves for a local one.
The Ponemon Institute included reports that an alarming 42% of United States corporations have not taken steps to prepare themselves for an international data breach.
For example, in May 2018, the General Data Protection Regulation (GDPR) will become Europe’s primary data privacy law, bringing with it a mandatory 72-hour breach notification requirement stipulating that all data breaches must be reported to the relevant Data Protection Authority and, in addition, breaches which could potentially harm an individual must be reported to the affected individuals.
Such strict data reporting laws throughout Europe inevitably mean that United States corporations which deal internationally are at the mercy of data privacy laws throughout Europe and elsewhere.
As such, United States corporations should ensure that they are acting in compliance with international data privacy laws and regulations at all times: as much as they ensure their compliance with local, state, and national laws.
Case Study: Facebook
By way of example, national heavyweight Facebook was fined 150,000 euros ($USD 224,000) by CNIL, France’s data protection watchdog for, among other things, tracking internet users’ web activity without their consent.
While the amount of the fine is little more than a drop in Facebook’s revenue ocean, the fine was the maximum amount that could be imposed at the time. Since then, a new law was instated which significantly increased the maximum fine to 3 million euros ($USD 4.5 million).
If Facebook can be caught by international legislation, it stands to reason that any United States corporation is liable to the same risk.
Data Encryption and Security
In addition to being aware international requirements, the best way for businesses to avoid crippling data breach fines is to pay strict attention to their data encryption and security policies and to ensure that appropriate measures are in place at all times.
Security policies must be robust, strictly enforced, and applicable at every tier of a corporation. From data wiping policies that ensure personally identifiable information does not remain on unused hard drives and other equipment, to the restriction of access to customer data and other secure information solely to those employees and contractors who require access, corporations have an obligation to ensure that appropriate security measures are in place at all times.
The risk of data breaches is only going to increase in 2018 and beyond, and it is the wise corporation that manages the risk head on, dealing with every possible facet of a potential data breach.
What do you think are the greatest risks regarding data breaches in the coming years? What policies does your corporation have in place to reduce the risk of becoming liable for data breach fines? Let us know in the comments below, and please share this article to maintain the awareness of the risks of data breaches throughout every facet of the United States economy.
Arman Sadeghi | Founder & CEO, All Green Electronics Recycling
Arman Sadeghi founded All Green Recycling in 2008 after watching a “60 Minutes” expose on the current state of electronics recycling in the United States and the lack of focus on Data Security and Environmental Stewardship. He is a serial entrepreneur who currently owns and operates companies in various industries including IT, Data Security, Business Consulting, Marketing, Photography and more.