Hackers constantly probe computer networks worldwide for vulnerabilities, seeming to pull off a major cyberattack almost weekly. In the past three weeks alone, HSBC Bank of London reported that its U.S.-based accounts were illegally accessed; hackers compromised an Australian military shipbuilder's personnel files; and Hong Kong airline Cathay Pacific confirmed a breach that affected up to 9.4 million passengers. The intrusions by criminal and state-backed hacker groups are aimed at obtaining personal information such as names, phone numbers, addresses, national identification numbers, and credit card and banking information. The groups can either sell the data to others who exploit it for financial gain or use it to conduct more targeted attacks – presenting a national security as well as a corporate concern. Now, governments in Europe and North America are pushing companies harder to shore up their network defenses and are fining those that are lax. On top of that, businesses that expose customers' information are increasingly being hit with lawsuits by affected consumers.
As competition in cyberspace heats up around the world, Western countries are using multiple approaches to bolster their defenses against cyberattack. Among them are regulations and legal settlements to push businesses to better protect their networks and data.
Carrots and Sticks
While breaches are a major concern for companies and their customers, they also worry national governments. In the United States, the new National Cyber Strategy, released by the White House in September, highlighted the importance of private companies when it comes to protecting U.S. residents and the homeland — the first of a four-pillar strategy. Among the main objectives of that pillar were promoting investment in cybersecurity and improving incident reporting and response. But while the U.S. government offers carrots in the form of funding to improve defenses and law enforcement assistance (as well as the promise of more offensive cyber operations against hostile actors), there are also sticks. Fines linked to regulatory violations have been rising after data breaches, as have settlements from class-action lawsuits.
And that is not just in the United States. In the United Kingdom and Canada, the number of cases leading to penalties and settlements has increased nearly sixfold from 2014 to the end of October 2018. For those organizations found liable, the cost of those penalties and settlements has increased even more dramatically, from $10 million in 2014 to $270 million so far in 2018. This year's spike is largely attributable to the record $148 million settlement against Uber in September, but even when that is removed, the average per case cost increased nearly two-thirds from 2017 to 2018 — from $4.4 million to $7.2 million.
Breaches and Corporate Punishment
Nearly half of the companies that have faced regulatory penalties or that have paid legal settlements in the United States, the United Kingdom and Canada are in the health care, retail and financial services sectors. In October, the U.S. Department of Health and Human Services issued its largest fine yet, penalizing insurance company Anthem Inc. after a data breach compromised the information of 79 million people in 2014. In 2016 and 2017, Home Depot agreed to settlements worth $44.5 million linked to class-action lawsuits for a 2014 breach that compromised the email and credit card information of 50 million customers.
In the financial sector, two cases illustrate how the punishment is commensurate with the damage that a breach causes. Within a nine-month period, the U.S. Securities and Exchange Commission issued $75,000 and $1 million fines to R.T. Jones Capital Equities Management Inc. and Morgan Stanley Smith Barney, respectively, for breaches that revealed individual accounts. R.T. Jones received the lesser penalty for a breach that it reported within three weeks of its occurrence, affecting 100,000 accounts. Morgan Stanley, on the other hand, was hit harder because the breach compromised more accounts (730,000) and it took nearly two years for the company to report it.
The balance of government penalties hit companies from a variety of sectors: higher education, local governments and even at least one religious organization in the United Kingdom. However, it is not by coincidence that health care, retail and financial services have been the most heavily affected sectors so far. In the United States, health care providers were already under the stringent patient privacy regulations set by the Health Insurance Portability and Accountability Act (HIPAA) before digitization and remote access to data via the internet was commonplace. The Department of Health and Human Services' Office of Civil Rights, which handles HIPAA violations, was arguably the regulatory agency best equipped with the legislative authority to pursue the massive data breaches that have become so commonplace. Additionally, hospitals are notorious for having outdated information technology, making them a favorite target for ransomware attackers. Similarly, the SEC and the U.S. Federal Trade Commission have authority over consumer protection and corporate financial reporting regulations, which have allowed them to pursue breaches in the financial and retail sectors.
In Canada and Europe, governments have tried to take a more centralized approach to regulation, tasking a single office with handling all forms of data breaches, regardless of size, sector or cause. Violations range from accidentally making databases containing personal information accessible on the public internet to more nefarious state-backed cyberattacks — in the case of Yahoo — to dramatic mismanagement of data breaches and cover-up attempts.
From Sticks to Cudgels
In May 2018, the European Union launched the General Data Protection Regulation (GDPR), giving bloc members the legal tools to punish companies that mishandle information, ranging from unwanted solicitations to data breaches from cyberattacks. The GDPR also increases the maximum punishment that regulators can levy to 20 million euros ($22.4 million) or 4 percent of the company's global annual revenue, whichever is higher. The first major test for the GDPR is expected to a case against Facebook, which revealed that 14 million accounts were compromised in September. Based on the 4 percent rule, the company could theoretically be fined up to $1.6 billion. Even if investigators do not pursue the maximum penalty, Facebook will likely receive a penalty eclipsing those that have typically handed out in Europe so far, which vary from hundreds to thousands of euros.
In March, the Information Commissioner's Office, which handles data breaches for the United Kingdom, fined Facebook the maximum of 500,000 pounds ($640,000) over the Cambridge Analytica scandal, which broke earlier in 2018. Since that incident happened before the GDPR went into effect, it was limited to the old penalty ceiling. Pending lawsuits against British Airways and data aggregation firm Exactis from breaches earlier in 2018 will be important to watch for indications of a trend toward higher settlements. Exactis is especially important since its data breach was one of the biggest in terms of the number of people affected: 200 million U.S. consumers and 110 million business contacts.
In Ireland, the Data Protection Commission, which now has the GDPR at its disposal, has increased its operations budget 800 percent since 2014, adding staff to handle the increasing caseload. Across the Atlantic, Canada has recently implemented new regulations on data breaches, giving its Office of the Privacy Commissioner the authority to fine companies if they do not report breaches in a timely manner. U.S. states are taking matters into their own hands where federal regulatory bodies come up short. California passed one of the more aggressive pieces of data protection legislation this summer; it won't come into effect until 2020, but other states, such as New York and Massachusetts, already have laws on the books. And at the federal level, the Office of Civil Rights has 113 open investigations into hacking-related data breaches so far in 2018, compared with 81 such cases for 2016 and 2017 combined.
During 2019, the trend toward increasing penalties against a rising number of organizations hit by data breaches is likely to continue. Digital advances such as distributed ledger technology — better known as blockchain — promise to mitigate the risk and scope of data breaches, but that technology is not widespread and still several years away from replacing current online data transaction and storage systems. Security professionals and regulators will continue to struggle to protect the collection and storage of ever more information. They must contend with the continually expanding appeal of e-commerce, the convenience of sharing data online and the sheer amount of data to safeguard. In addition, they must fend off the hostile actors who are looking to steal that data because of its financial and intelligence value. So data breaches will continue for the foreseeable future as more and more data attracts more cyberattacks. And those will, in turn, lead to higher corporate costs from government fines, as well as lawsuits.