Compliance Management

Compliance in the era of big data

Demonstrators carry a large European Union flag as they march on June 20, 2022, in Tbilisi, Georgia. Today’s columnist, Ross Hosman of Drata, says that a focus on compliance can save companies hefty GDPR and CCPA fines. Photo by Daro Sulakauri/Getty Images)

Data is king, and tech giants like Google and Facebook aren’t the only ones sitting on massive amounts of it. Businesses of all sizes and in all industries are collecting all the data they can get their hands on. In the past, that data was often as simple as usernames and passwords, stored credit card information, and contact information. But today’s businesses understand that the more they know about their customers, the more successfully they can monetize that data. Customer search queries, physical locations, demographic information, and other data is worth its weight in gold to businesses seeking valuable new insights.

So if data is king, that king needs knights, cavalry, and other protectors in the form of modern security tools. Breaches have serious consequences for today’s businesses, especially as they grapple with securing the cloud amid widespread adoption of cloud services. Data like social security numbers, facial recognition data, and purchase histories are all vulnerable and regulators, business partners, and more importantly, customers, will come knocking in the days following an incident. In today’s world, data protection has become critical, and security teams must make compliance a priority.

The rising cost of a breach

Data breaches cost companies a lot of money. The most recent issue of IBM’s annual “Cost of a Data Breach” report said that the average cost of a breach now comes in at $4.24 million. Just a year before, the average cost was $3.86 million, and IBM notes that this 10% increase represents the largest single-year cost increase in the past seven years. What’s more, data breaches are often significantly more costly in industries like healthcare, where the average breach now costs more than $9 million. Public sector breaches have also jumped significantly in this regard, rising from $1.08 million in 2020 to $1.93 million in 2021.

The rising cost of compliance violations has become a major factor in the cost of breach. The passage of the General Data Protection Regulation (GDPR) in the European Union was the first significant step taken to more effectively regulate data privacy. Under GDPR, failure to effectively secure data can result in fines of up to €20 million or 4% of the firm’s worldwide annual revenue from the preceding year, whichever is higher. In the United States, individual states have imposed their own data protection regulations. California led the way with the California Consumer Privacy Act (CCPA), which can penalize a company up to $7,500 per record for severe violations. Given that data breaches can consist of in excess of 1 million compromised records, and that the regs consider each stolen record a “violation,” businesses now face the prospect of potentially crippling fines if they are not careful.

The hidden toll of a breach

When estimating the cost of a breach, some factors are easier to calculate than others, such as paying the ransom in a ransomware attack. Others are more difficult. How does a business calculate reputational damage or lost business? It’s neither cheap nor easy to take the necessary actions following a breach, such as investigating and remediating the breach source, notifying and making restitution to potential victims, or pursuing legal action. And even when a breach has been fully remediated and the vulnerability addressed, compliance issues can still remain.

GDPR and CCPA are built around levying fines, as are some industry-specific measures like HIPAA, which establishes steep penalties for healthcare companies lax with patient data. However, there are other types of regulations to consider. SOC 2, while not legally required, has become the industry standard for companies of all sizes looking to demonstrate that customer data stored in the cloud is secure. With a growing share of companies embracing SaaS partners, the trust that a clean SOC 2 attestation establishes has become critical. For businesses operating in the cloud, not having a SOC 2 report can have a negative impact on the company’s ability to scale. Customers won’t do business with a company if they feel it has a weak security posture or systems are insecure—resulting in a degree of reputational damage on par with a data breach.

Compliance in the spotlight

Today’s businesses are gathering an unprecedented amount of data, but many are not paying enough attention to where that data gets stored or how it’s secured. As high-profile data breaches continue to occur, governments around the world are beginning to crack down with legislation like GDPR and CCPA. But to comply, companies have to focus on more than just avoiding penalties, and frameworks like SOC 2 are helping businesses establish trust with one another before doing business. These standards exist to ensure a baseline level of security, and meeting them serves as proof that the company fully understands the danger and has taken steps to address it. In the era of big data, that can go a long way. 

Ross Hosman, chief information security officer, Drata

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.