The UK’s Financial Services Authority has imposed a £2.28 million fine for losing a disk containing the information about 46,000 customers. (Who was fined is besides the point here.)
I agree heartily with John Dunn’s “Data breach fines will not stop the rot,” but I’d like to go further: Data breach fines will prolong the rot.
In particular, fines encourage firms to hide their problems. Let’s say you believe the widely quoted cost of a breach numbers of $197 or $202 per record. At $202 per, breach response and notification would run $9,292,000 (2.6 times greater than the $3,522,000 fine.)
At some point, one or more executives makes a call between the disclosure and the risk of penalties for ignoring the law. If a fine were independent of the disclosure, then the fine would not influence disclosure. But fines are not independent. They are highly dependent on businesses first deciding to disclose. The fine may well get worse if you’ve concealed the error. But fines are highly uncertain. First, the size of the fine isn’t known, and second, if a fine will be imposed is unknown. So unless breach fines are regularly huge, sweeping things under the rug will make more sense than inviting them.
In fact, the rational choice for a firm is to wait until total non-notification penalties are (1/p)*c where p is the expected probability of a fine and c is the expected cost of notification. Given estimates of 1/2 to 9/10 of breaches going unreported, that would entail fines from $400 to $2,000 per record. For the breach that started me thinking about this, that’s $18-92 million. Let’s call it 50 million bucks.
For those wanting to deter breaches, and those wanting to punish the firms which lose control of data, that may be attractive. But for context, for a 2005 explosion which killed 15 people and injured 170 more, BP was fined $50 million, and a single fatality at a wheat handling facility lead to a fine of 1.61 million.
Is this breach of the same magnitude of a problem that kills 15? I have trouble seeing it as being of that magnitude. Maybe if we had a better understanding of the link between different breaches and their impact on real people, we could better assess. Maybe 1500 of those people whose data was lost will spend the next five years unable to live their lives because of the lingeringly corrupt databases that result. Maybe the fraud and corruption are a result of this breach. Unfortunately, despite the growing number of states that call for a risk assessment before notification, such risk assessments are, at best, a set of guesses strung together by well-meaning professionals. More likely, they’re CYA and justification for not notifying. When I say “more likely,” that’s my analysis of motivations and economics. It’s better grounded than any post-breach risk assessment I’ve seen.
I am deeply sympathetic to the desire to punish those who put others at risk, both to deter and for the punitive value.
But fines won’t reliably do that. They will prolong the rot.