Mandatory notifications to affected parties are being legislated in many countries. Mandatory notification is designed to protect individuals that are the
victims of a data breaches, not the entity leaking the data. Loss of organizational reputation and customer confidence naturally flows from data breaches and their subsequent notifications.
Added to the costs of notifying affected parties comes both governmental and civil penalties if the organization has not taken reasonable steps to
ensure the protection of the data under their control. Much of the notification requirement and civil liability can be avoided in many jurisdictions by utilizing encryption
to secure confidential records.
Compliance with Data Breach Notification Requirements
Complying with mandatory breach notification laws is inherently costly and complicated. There can be government mandated penalties such as those seen under
HIPAA, there can be civil liability, criminal liability (in rare cases) and on top of that, the notification costs, the costs to rectify the breached system, downtime and reputational damage.
Data breach laws are complicated and leave organizations open for more than just reputational damage.
Data Breach Complexities
What law applies: In many states, mandatory notification laws mean that the organization responsible for the data breach must comply with that state. In some instances, organizations
will also have to comply with individual country data breach notification requirements. The complexity of complying with data breach notification laws across jurisdictions make compliance an costly process.
An illustration of this complexity is the 46 individual state laws
covering data breaches in the USA. Whilst state laws share similarities, they also contain significant differences, such as what triggers mandatory notification.
In 2009 the European Union implemented their own data breach directive, mandating member state legal compliance.
With 46 individual state laws, the EU data breach directives and the gamut of individual laws for other countries the complexity and cost of compliance is significant.
Cost of notifying and rectifying: The cost to notify parties may well be negligible in terms of the overall cost of a data breach.
In some jurisdictions organizations are required to take additional steps to protect the victim's information, such as credit monitoring at the organizations expense.
System down-time and the cost to secure systems may well exceed all expectations. The average cost (USD) per record for data breaches currently sits at $188 for US organizations, and
$199 per record for German organizations. This cost increases to $277 per record for US companies if the breach is malicious.
Government penalties: Regulatory penalties are becoming more common for data breaches comprising of personally identifiable information.
The health industry has a data protection law in HIPAA and more recently the HITECH Act. HIPAA stipulates penalties of up
to $1.5m per violation for failing to have appropriate data safeguards.
Under both HIPAA and HITECH data encryption is recognized as a "safe harbor" and "adequate" security (assuming appropriate implementation).
The US Federal Trade Commission
has also been enforcing data security, levying organizations with monetary penalties where it deems organizations "deceived customers" by failing to protect customer information. Some US state data breach
statutes have state based penalties specified for data breach infractions. Government penalties are not limited to the United States however, the UK Information Commissioners Office imposes fines
for data breaches and failure to protect the privacy of individuals. The EU is enforcing data breach notification laws and for some sectors, breaches must be reported within 24 hours of the event.
Japan has implemented a law stipulating fines of 10,000 Yen per record breached for the financial services industry. This equates to roughly $100 for every record exposed.
These are just some of the individual laws that impose monetary penalties for failure to adequately protect data which is subsequently exposed by a data breach.
Industry penalties: Organizations not only need to be concerned by government penalties, industry associations and private organizations
have also been levying penalties as a result of data breaches. Visa and MasterCard have levied severe penalties for breaches of their Payment Card Industry (PCI) standards. In one instance,
an organization was fined a total of $15.6 million for a data breach that revealed credit card details. Storing unencrypted credit card details is a violation of the PCI standards.
Civil liability: Recent precedents have been set demonstrating organizations' liability to civil complaints and damages as a result
of data breaches. Currently 10 US states have explicit statutes stating the right for private action against organizations responsible for data breaches. In one specific example
settled in 2013, a supermarket chain paid damages of $10 million after a class
action lawsuit over the leak of 160,000 records from a data breach in 2005. Civil liability and class action lawsuits are fast becoming a reality, which mandates that organizations
must encrypt data to reduce significant commercial risk associated with storing personally identifiable information.
Avoiding Costly Data Breach Incidents
The Ponemon Institute reports that "having a strong security posture" is key to minimizing the effects of data breaches. Part of this posture includes technical controls, action plans and designating a person with
appropriate skills to direct the security response. By utilizing encryption, access controls and countermeasures provided by StratoKey, organizations can avoid much of the complexity and even the
necessity to notify in the event of a data breach. Encryption renders the data unintelligible and in many instances mandatory notification laws have exclusions for encrypted data.
StratoKey helps mitigate the risk of data breaches and the associated monetary, reputational and regulatory penalties.