Regulatory Fines, Prison Time Render “Check Box” Security Indefensible
In May 2017, the Equifax data breach compromised critical credit and identity data for 56 percent of American adults, 15 million UK citizens and 20,000 Canadians. The Ponemon Institute estimates that the total cost to Equifax could approach $600M in direct expenses and fines. That doesn’t include the cost of the security upgrades required to bring their IT system up to date.
Around the time that Equifax became aware of their breach in 2017, Facebook incorporated vulnerable software into its video uploader. By the time that Facebook learned of the breach fourteen months later, attackers had already exploited a vulnerability to compromise 50 million user accounts.
The amount of data lost in the Facebook breach was less than a third than in the Equifax security incident. But the cost for losing that data will be almost three times what Equifax paid. According to Barrons, the Facebook breach could cost $1.63B in fines from European regulators alone.
So what’s the difference?
Well, GDPR does permit regulators to fine companies who don’t maintain compliance up to four percent of their global revenue. (For Facebook, that was $40 billion in 2017.) But, GDPR is not the point of the story. GDPR is just the first major strand in a web of privacy regulations which trade agreements are propagating worldwide. Those agreements are dramatically raising the stakes for a data breach.
As an example, Europe’s GDPR concept is connecting to regulatory efforts and influencing regulatory thinking in countries far beyond European borders. Trade agreements with Europe require that trading partners provide privacy and other protections equivalent to what GDPR offers. So, when South Korea and Japan signed formal agreements with Europe, they recognized equivalency with GDPR.
But these other countries are not simply sycophants of the EU. They are true believers. Japan (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Stephen Wood. Read the original post at: https://www.tripwire.com/state-of-security/regulatory-compliance/regulatory-fines-prison-time-render-check-box-security-indefensible/