“Let the punishment fit the crime,” says an an oft-quoted line from Gilbert & Sullivan’s comic opera The Mikado.
But what sort of punishment should befall organizations that experience a major data breach? It’s a complex question, given that not every company or agency to fall prey to getting hacked has been equally careless in their security controls, not every breached business holds the same valued information, and not every one will automatically react the same way to an incident.
Bob West, managing director in charge of security at CareWorks Tech, a Dublin, Ohio-based technology consulting and digital marketing firm, points out that in health care and financial services, there are “a pretty formal set of penalties” given the regulatory oversight and compliance control in both of these industries (which tend to deal in the most sensitive personal records). While he points out that regulatory examiners will often give an out-of-compliance company “time to get their house in order,” West –a former chief information security officer at Fifth Third Bank and Bank One – says that many organizations can be levied fines, prevented from making acquisitions and suffer other major penalties for suffering breaches, or from simply putting themselves in a position where they more easily could.
But in relation to organizations on the whole, “the laws governing breach notification in the United States are all over the map because there is still no comprehensive federal-level law regarding breach notification,” says Andrew Braunberg (left), research vice president for NSS Labs, an Austin, Texas-based security product testing laboratory. “Some personal data does have federal-level protection, most notably medical data. However, many of the biggest breaches of late in the United States have been in retail.”
Companies are legally responsible for protecting personally identifiable information (PII); the health care industry has several laws for protecting PII under Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the Federal Communications Commission can fine telecommunications companies for violating privacy requirements, or the Federal Trade Commission can investigate companies that are perceived to be pursuing deceptive or unfair acts of data security or for failure to protect customers’ PII. Also, at latest count, 47 of the 50 states have their own breach notification laws, with monetary penalties ranging from direct fines to allowing lawsuits from victims of breaches to recover damages through civil action, Braunberg adds. However, the monetary penalties assessed by states typically are capped at maximum value per breach event and, as Braunberg says, “monetary penalties are not necessarily seen as the primary motivator of encouraging better security practices.”
Similarly, the United States has few laws or regulations on the books that specifically penalize organizations when they suffer a data breach, says David Holtzman (left), vice president of compliance for CynergisTek, an Austin, Texas-based information security and privacy consulting firm. “With the notable exception of the health care sector, organizations that experience a data breach face a patchwork of state and federal regulations that generally require notification of individual consumers when disclosure of sensitive financial or personal information, like a Social Security number or credit card information that could put the individual at significant risk of fraud or identity theft,” Holtzman says.
When the incident fulfills certain criteria, like a significant number of persons affected, some states also require notifying law enforcement or the state attorney general, and possibly the media or credit reporting agencies, he says.
“However, even after reporting, few of these incidents are investigated, and even fewer have resulted in any civil fine or penalty – except when the resulting enforcement activity uncovers lax data security that falls far below accepted industry best practices,” Holtzman points out.
West argues that even in health care, “there’s not a lot of teeth” in current legislation and rules, including HIPAA. State and federal officials are making examples of a few organizations that they have considered to be negligent in their practices or reporting – with limited effect. For example, in 2010, Connecticut’s Attorney General Richard Blumenthal sued that state’s Health Net for failing to secure private patient media and financial records for more than 446,000 enrollees, and not promptly notifying them of a security breach. In March 2011, the managed care organization disclosed that personal information from another 1.9 million members and providers in several other states had gone missing two months before, while it was en route (on servers) from California to Colorado. It was, at the time, one of the largest medical information breaches.
Andrew Braunberg, research vice president, NSS Labs
David Holtzman, vice president of compliance, CynergisTek
Andrea Little Limbago, principal social scientist, Endgame
Mark Orlando, director of cyber operations, Foreground Security
Rob Sadowski, director of technology solutions, RSA
Bob West, managing director, CareWorks Tech
Most state-based data breach laws assess financial penalties based on type of data, time to notify or size of the breach, or a combination thereof, and, in most cases, there is a maximum fine less than $1 million, according to Mark Orlando, director of cyber operations for Foreground Security, a Lake Mary, Fla.-based security services, training and solutions company. Federal agencies assess their own larger penalties for industries under their purview, he points out, such as the $25 million dollar fine the FCC ordered AT&T to pay in April 2015, following a major breach last year.
“However, even in that case, which was a record amount for a data breach, the penalty amounts to a small fraction of the company’s revenue, which was reported as over $132 billion last year,” says Orlando, “and is therefore a questionable incentive to ‘do better’ where security is concerned.”
There are some class action law suits underway, including one against Home Depot, points out Andrea Little Limbago, principal social scientist at Endgame, an Arlington, Va.-based provider of software solutions to the U.S. intelligence community and Department of Defense. Target reached a settlement in April for its massive 2013 breach for $10 million. “However, the enforcement of these laws is inconsistent and, in many cases, viewed as negligible compared to the costs for some companies to modernize its security practices and therefore is not a deterrent,” Limbago adds.
Further, despite recent inroads, the penalties and threat of lawsuits are not typically proving to be enough to change the lax IT security of many lax organizations, says Jeremiah Grossman, founder of WhiteHat Security, a Santa Clara, Calif.-based provider of end-to-end solutions for web security. “The penalties are not putting anyone out of business,” he says. “You would be hard-pressed to find anyone to say they’re harsh.”
Yet, Rob Sadowski, director of technology solutions for RSA, a Bedford, Mass.-based division of EMC Corporation, says that despite the conventional wisdom that monetary penalties are “too infrequent and not severe enough to compel action or deter behavior…this line of thinking ignores the fact that intangible damages – losses of brand equity and customer trust – are often much more damaging, and much more difficult to repair, than by paying a fine.”
In this way, he says that mandatory breach disclosure laws have proven to be “a much more effective tactic to compel action.” Indeed, according to a June 2014 study by Radius Global Market Research, 69 percent of consumers say they would be less inclined to do business with a breached organization, Sadowski points out.
Yet, despite the loss of customer trust, brand respect, stock losses and even major firings that can result from a major data breach, many organizations are still weighing the odds of getting hacked versus the cost and commitment of improving their IT security strategy. And many are still not erring on the side of caution, industry insiders say. Limbago sees this in a so-called “risk calculus,” or assessing the cost of security modernization with the probability of being attacked.
“Many corporate leaders remain in favor of the status quo, although it is slowly beginning to change in light of the high-profile breaches,” Limbago says. “Until that risk calculus changes significantly – either via harsher legal penalties, a better understanding of the threat landscape, or a more informed prioritization of the protection of proprietary corporate information (including PII) – there will not be a significant change.”