Companies have long had to deal with high costs associated with hacking. The Ponemon Institute, which tracks breach costs in its long-standing annual report, has found in recent years that cyber incidents on average are in the multi-million dollar range. In 2018, they said the average cost of a breach on a global basis is almost $4 million.
That is an overall average, and the numbers can vary greatly by country. In the US, the average breach cost over the last three years is actually closer to $6 million!
This last category, state and national fines, is undergoing a revamp as governments begin responding to consumer privacy and security demands with new laws that will have a real financial bite.
In the EU, the General Data Protection Regulation (GDPR) has a two-tier fine schedule based on a percentage of global turnover or revenue, depending on the violation. For example, not reporting a breach to an EU regulator within 72-hours can get you a 2% fine, but not implementing the GDPR’s security be design principles, lands you a larger 4% fine.
With the recent Facebook breach affecting 50 million of its users, the EU regulators will have a good test case. Ireland’s Data Protection Commission, the lead supervisory authority in this case, is considering a $1.6 billion fine – that’s 4% of the social media giant’s 40 billion worldwide revenue.
Back in the US, California’s Governor Brown recently signed the Consumer Privacy Act of 2018 into law. Going into effect in 2020, this innovative data law has a broad definition of what constitutes personal data, which covers email addresses and other online handles, and will give consumers some of the same rights as the GDPR.
The California law also allows for class action suits to be brought for unauthorized access, theft or disclosure of consumer’s personal data, with damages up to $750 for each resident affected by the incident.
On the national level, the Securities and Exchange Commission has been telling public companies that they should have controls and procedures in place for reporting material cyber events on their quarterly and annual filings.
The SEC is trying to get companies to acknowledge that data breaches, ransomware, and DoS attacks can have serious financial consequences, which investors have a right to know.
And if a CFO doesn’t report this information or waits too long?
The SEC has shown they are now willing to attach heavy fines for such violations. In late April, the SEC announced a settlement with Yahoo (now known as Altaba) in which it agreed to pay $35 million for waiting almost two years to report its massive 2014 data breach to investors.
While the US currently doesn’t have a national GDPR-like law, it appears there’s a growing consensus to enact similar national legislation. In late September of 2018, major US tech companies, including AT&T, Google, and Apple, asked Congress for a single privacy and data security law covering consumer personal data.
Rather than dealing with separate state laws, like California’s, large US companies would rather have unified rules defining the type of information to be protected, the security measures to be taken, and enforcement actions when there are violations, such mandatory audits and other penalties.
How can CFOs and the rest of the C-suite get ahead of the game in this new era of tougher data laws?
A good first step for any company to take is to understand what’s at risk (before the hackers show you first).
This starts with a comprehensive data risk assessment of corporate file and email servers—where the lion’s share of sensitive, regulated data lives. Varonis performs thousands of data-focused risk assessments each year, highlighting that, on average, 20% of an organization’s data is accessible to every employee.
Varonis risk assessments show how many sensitive files are overexposed, highlight stale sensitive data (unnecessarily raising risk profiles), and provide actionable ways to reduce risk of data breaches and compliance violations.
In this new era of tougher data laws, data risk assessments are more than just a good IT idea. They will have serious legal and financial implications if not conducted on a regular basis.