Across the globe, organizations are hearing ominous drum beats: it’s the sound of government regulators levying fines after a data breach. Carphone Warehouse and VTech Electronics are two recent examples of rising fines.

Breach and Fine Details

Following a data breach, Britain’s Information Commissioner’s Office (ICO) just delivered one of its largest fines ever to mobile phone retailer Carphone Warehouse. In announcing the  £400,000 ($675,000) fine, the ICO noted several failures including:

  • Running software that was last updated six years before the attack
  • An absence of antivirus software running on the servers that held the data
  • Using the same root password on every individual server, which was known to “some 30-40 members of staff”

The breach resulted in unauthorized access to the personal data of 3.3 million customers and 1,000 employees. Customer data included addresses, phone numbers, birthdates, marital status and, in many cases, historical payment card data. Employee data exposed included name, phone numbers, postcode, and car registration numbers.

In the US, the Department of Justice filed suit against VTech Electronics in the first case involving Internet-connected toys. VTech just agreed to pay a $650,000 fine. The action stems from a 2015 data breach of the company’s app store database Learning Lodge that affected several million user accounts, releasing names, dates of birth, and gender of children. As part of the deal, VTech must implement a ‘comprehensive data security program’ that will be audited annually for the next 20 years.

Top Posts in Data Security

  1. Cyber Security Predictions for 2018: The Top Experts Speak
  2. Cyber Security Statistics 2017: Data Breaches and Cyber Attacks
  3. Information Security Trends 2017 and 2018
  4. Top Cyber Security Conferences: 2018's Best Information Security Events

Why Fines Will Grow

Across the globe, governments are increasing scrutiny – and fines – after a data breach:

The European Union is just months away from enforcing it General Data Protection Regulation (GDPR). The GDPR will impact all organizations that hold personal information of EU residents. Beyond mandates regarding prompt notification to authorities after a breach, fines can be up to 4% of annual global turnover or €20 Million ($24 million).

The British government’s new Data Protection Bill will strengthen information privacy rules in the UK and allow for fines up to £17 million ($23 million) or 4 percent of global revenue.

A proposed law in the US Senate would give the FTC the ability to fine companies that collect vast amounts of financial data on consumers in the event of a data breach, to the tune of $100 per affected consumer as a minimum.

This increased scrutiny will likely result in increased fines. If data breaches remain at 2015 levels, the Payment Card Industry Security Standards Council (PCI SSC) predicts that UK businesses could face up to £122 billion ($165 billion) in penalties for data breaches when the new EU legislation goes into effect.

Monitor Activity to Help Avoid Fines

We’ve written about the various costs of a data breach, including customer loss and settlement costs. Regulatory fines are another cost, and one that is likely to rise as consumers and their government representatives take note.

Monitoring user activity is a key part of a data breach defense program. In the case of malicious insiders, employee monitoring software can detect if sensitive data is downloaded to a USB drive or emailed to a personal account. Because monitoring software builds a profile of normal and permissible access (noting a user’s standard work hours and geographic location, for example), the software can also help to identify threats from outsiders abusing login credentials. Activity monitoring also reduces the time a data breach goes undetected. The faster the data breach can be identified and contained, the lower the costs.