"Let the punishment fit the crime,” says an an oft-quoted line from Gilbert & Sullivan's comic opera The Mikado.
But what sort of punishment should befall organizations that experience a major data breach? It's a complex question, given that not every company or agency to fall prey to getting hacked has been equally careless in their security controls, not every breached business holds the same valued information, and not every one will automatically react the same way to an incident.
Bob West, managing director in charge of security at CareWorks Tech, a Dublin, Ohio-based technology consulting and digital marketing firm, points out that in health care and financial services, there are “a pretty formal set of penalties” given the regulatory oversight and compliance control in both of these industries (which tend to deal in the most sensitive personal records). While he points out that regulatory examiners will often give an out-of-compliance company “time to get their house in order,” West –a former chief information security officer at Fifth Third Bank and Bank One – says that many organizations can be levied fines, prevented from making acquisitions and suffer other major penalties for suffering breaches, or from simply putting themselves in a position where they more easily could.
But in relation to organizations on the whole, “the laws governing breach notification in the United States are all over the map because there is still no comprehensive federal-level law regarding breach notification,” says Andrew Braunberg (left), research vice president for NSS Labs, an Austin, Texas-based security product testing laboratory. “Some personal data does have federal-level protection, most notably medical data. However, many of the biggest breaches of late in the United States have been in retail.”
Companies are legally responsible for protecting personally identifiable information (PII); the health care industry has several laws for protecting PII under Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the Federal Communications Commission can fine telecommunications companies for violating privacy requirements, or the Federal Trade Commission can investigate companies that are perceived to be pursuing deceptive or unfair acts of data security or for failure to protect customers' PII. Also, at latest count, 47 of the 50 states have their own breach notification laws, with monetary penalties ranging from direct fines to allowing lawsuits from victims of breaches to recover damages through civil action, Braunberg adds. However, the monetary penalties assessed by states typically are capped at maximum value per breach event and, as Braunberg says, “monetary penalties are not necessarily seen as the primary motivator of encouraging better security practices.”
Similarly, the United States has few laws or regulations on the books that specifically penalize organizations when they suffer a data breach, says David Holtzman (left), vice president of compliance for CynergisTek, an Austin, Texas-based information security and privacy consulting firm. “With the notable exception of the health care sector, organizations that experience a data breach face a patchwork of state and federal regulations that generally require notification of individual consumers when disclosure of sensitive financial or personal information, like a Social Security number or credit card information that could put the individual at significant risk of fraud or identity theft,” Holtzman says.
When the incident fulfills certain criteria, like a significant number of persons affected, some states also require notifying law enforcement or the state attorney general, and possibly the media or credit reporting agencies, he says.
“However, even after reporting, few of these incidents are investigated, and even fewer have resulted in any civil fine or penalty – except when the resulting enforcement activity uncovers lax data security that falls far below accepted industry best practices,” Holtzman points out.