Data breach fines will prolong the rot
The UK’s Financial Services Authority has imposed a £2.28 million fine for losing a disk containing the information about 46,000 customers. (Who was fined is besides the point here.)
I agree heartily with John Dunn’s “Data breach fines will not stop the rot,” but I’d like to go further: Data breach fines will prolong the rot.
In particular, fines encourage firms to hide their problems. Let’s say you believe the widely quoted cost of a breach numbers of $197 or $202 per record. At $202 per, breach response and notification would run $9,292,000 (2.6 times greater than the $3,522,000 fine.)
At some point, one or more executives makes a call between the disclosure and the risk of penalties for ignoring the law. If a fine were independent of the disclosure, then the fine would not influence disclosure. But fines are not independent. They are highly dependent on businesses first deciding to disclose. The fine may well get worse if you’ve concealed the error. But fines are highly uncertain. First, the size of the fine isn’t known, and second, if a fine will be imposed is unknown. So unless breach fines are regularly huge, sweeping things under the rug will make more sense than inviting them.
In fact, the rational choice for a firm is to wait until total non-notification penalties are (1/p)*c where p is the expected probability of a fine and c is the expected cost of notification. Given estimates of 1/2 to 9/10 of breaches going unreported, that would entail fines from $400 to $2,000 per record. For the breach that started me thinking about this, that’s $18-92 million. Let’s call it 50 million bucks.
For those wanting to deter breaches, and those wanting to punish the firms which lose control of data, that may be attractive. But for context, for a 2005 explosion which killed 15 people and injured 170 more, BP was fined $50 million, and a single fatality at a wheat handling facility lead to a fine of 1.61 million.
Is this breach of the same magnitude of a problem that kills 15? I have trouble seeing it as being of that magnitude. Maybe if we had a better understanding of the link between different breaches and their impact on real people, we could better assess. Maybe 1500 of those people whose data was lost will spend the next five years unable to live their lives because of the lingeringly corrupt databases that result. Maybe the fraud and corruption are a result of this breach. Unfortunately, despite the growing number of states that call for a risk assessment before notification, such risk assessments are, at best, a set of guesses strung together by well-meaning professionals. More likely, they’re CYA and justification for not notifying. When I say “more likely,” that’s my analysis of motivations and economics. It’s better grounded than any post-breach risk assessment I’ve seen.
I am deeply sympathetic to the desire to punish those who put others at risk, both to deter and for the punitive value.
But fines won’t reliably do that. They will prolong the rot.
Speaking from some experience, there seems to be a cottage industry around legally justifying non-disclosure at this point.
Don’t take this the wrong way, but “it’s about time” :^). I did a quick search on “lawyer notification” at another excellent blog and saw posts about loopholes and escape clauses dating back to mid-2006. Indeed, Rob Lemos wrote a nice piece for SecurityFocus around the same time. I guess the amount of money to be made wasn’t large enough until recently, for some reason.
And in the absence of fines but the need to punish those whose responsibility it is to ensure that sensitive customer information is appropriately protected, the solution is what precisely?
Unless someone comes up with a better way of ensuring that there is some kind of stick when organisations get it wrong in terms of data protection, fines will be here to stay. There has to be some kind of punishment.
So, in the absence of your providing any kind of solution to what you perceive to be a problem with the fining situation I provide the following:
0. The UK Govt passes a law which requires companies to notify the relevant authorities in the event of a data breach – similar to California Data Breach law
1. Fines for a data breach commensurate with the sensitivity and amount of data lost/disclosed following an investigation (use whatever formula you like to calculate the level of fine)
2. Jail time for the CEO *if* a breach has failed to be disclosed as required by law in the appropriate time and to the appropriate authorities
For execs considering sweeping a data breach ‘under the carpet’ so to speak, then surely it’s an easy risk assessment – disclose and pay a fine or don’t disclose and if discovered, go to jail.
Nothing concentrates the mind like the threat of jail time. My opinion is that this would significantly improve the data protection situation, at least here in the UK.
Why does there “have to be some kind of punishment?” We’re not putting Tony Hayward in jail. Why do we need jail for data breaches, but not oil breaches?
If you want to punish organizations for negligence, smaller fines, imposed more predictably.
But the real trouble is, even with a threat of jail, we lack effective guidance of what to do to avoid a breach.
“But the real trouble is, even with a threat of jail, we lack effective guidance of what to do to avoid a breach.”
Actually, I don’t think we do. We have plenty of advice and guidance, technical solutions where these can assist (e.g. DLP solutions, full disk encryption solutions etc) – stuff exists out there to help reduce the likelihood of a data breach. Some organisations do manage to put in workable processes that users can follow to reduce the likelihood of a breach.
The problem we have is that there is no credible ‘stick’ to use when breaches occur. Governments and regulators can mandate all they like but they are not taken seriously by directors, company CEOs and those people who hold the reigns. Fines are a drop in the ocean, and in any case, people have short term memories – there might be some initial bad publicity but people soon forget. Thus, we continue to see breaches in the press.
Here’s an example: in England, a mandate went out from the NHS Chief Executive to all NHS organisations stating that they must ensure that all mobile computing systems had their disk drives encrypted. Furthermore, all transfers of sensitive data taking place on physical media must be encrypted. Guidance documents on this mandate was put out to NHS organisations. Furthermore, a central solution was purchased which NHS organisations could obtain for free which would provide full disk encryption for mobile computing systems and facilities to ensure that data on other physical media could be encrypted.
Fast forward two years and what’s the situation like within the NHS? Still data breaches occur despite the guidance and incredibly, some of these losses include unencrypted laptops, media such as USB sticks etc – this is despite the provision of a ‘free’ solution to ensure that these systems and media can be encrypted.
Now, if these losses of unencrypted media/systems don’t constitute negligence then what does?
I’m afraid it has come to the point that despite the guidance, and the availability of tools and solutions to assist with preventing breaches, some CEOs and senior managers continue to play fast and loose with sensitive data. Until there is a real deterrent with serious consequences for individuals, such breaches will only continue.
You want a CEO to go to jail because we have guidance that reduces likelihood? What about guidance that if followed, allows people to get their jobs done and prevents breaches?
I’m not familiar with the NHS guidance, and can’t comment on specifics, but in my overall experience, it’s common to see guidance like “all transfers of sensitive data taking place on physical media must be encrypted” which fail to take into account a set of circumstances (such as older hardware for which no network or crypto software exist) that lead to routine and sensible circumvention of procedures.
“You want a CEO to go to jail because we have guidance that reduces likelihood?”
No, I want a CEO to go to jail when it is proven beyond all reasonable doubt that they failed in their duty to ensure that sensitive data that they are responsible for was properly protected.
This is all measurable. I.e. does the organisation have appropriate security policies, proper processes/procedures that can be followed to minimise the risk of a data breach, risk assessment of information transfers etc etc. Absence of some/all of this stuff potentially shows negligence on the part of the person at the top responsible for all this stuff.
What I want is for the people at the top collecting the big fat salaries to actually step up to the plate and properly accept responsibility for this kind of thing and be properly punished when it can be shown they have materially failed. In my opinion, that is not unreasonable.
“What about guidance that if followed, allows people to get their jobs done and prevents breaches?”
This already exists, lots of organisations have it and use it daily. They’re the better run organisations, where CEOs and senior management have understood their responsibilities and have ensured that appropriate time and resource has been provided so that sensitive data can be properly protected.
Somebloke,
I don’t think we’re going to convince each other. I look at things like PCI, SAS-70 and others and am unconvinced that the standards are sufficiently prescriptive that we should be sending people to jail.
Have you read the book after which this blog is named?
Adam
Accountability appears to be the key issue here. Many companies actively choose not to put controls in place that would prevent breaches based on the associated risk – whether that risk is financial, brand name or incarceration.
If the legislative side of data breaches has no teeth then how do you persuade organizations to tighten up on the controls?
The average individual suffering from Identity theft incurs at least $1,500 in personal expenses and spends over 60 hours trying to get everything corrected. Once a victim, their data is out there in cyber crime world and they are increasingly likely to be a repeat victim.
Fines / punitive measures do not stop the breaches but if they have teeth maybe in time the message will get through. Standards are in place (HIPAA / PCI-DSS / ISO27001, etc.) and typically the criteria – if applied truthfully would prevent the majority of breaches – OR – would detect the breach earlier.
Regards – David J Coombes, PCI-QSA
Hi David,
Tightening up on controls is not the goal, protecting people and ensuring that costs accrue to the party most able to provide security should be the goals.
As to your claims of costs & likelihood of repeat victimization and especially that the standards you cite would reduce breaches: data, please. My point in the blog post is that we lack such data.