After the Marriott data breach, the Quora breach, the Anthem breach, and the Uber breach… well, you get the picture. After all of these data breaches, from the commercial perspective, it’s clear that the free market is failing to drive companies to implement adequate data security. Financially, the cost of the breaches, and any subsequent fine, is likely to be far less punitive than it appears on the surface.
Marriott did see a 20% drop in their share price in the weeks following the breach announcement (falling $21 dollars to $100.99), but this was in line with a general decline for the year. Their share price recovered almost half of this loss within 2 weeks, keeping it above the previous low point prior to the breach ($107.13 on October 24)...so was there really any impact? And even if the $12.5 billion suit succeeds, how much will that really hurt a company with revenues of $23 billion a year? Likewise, look at the recently announced Anthem penalty of $16 million in response to their record breach of almost 80 million records in 2015. That is the Office of Civil Right’s largest fine to date. It’s a blip on the screen for an organization with almost $90 billion in revenue. Uber, the same. They settled for $148 million yet report revenue of $6.5 billion. Now Quora says 100 million users are affected. What will that mean to their bottom line, ultimately?
Are we experiencing Breach Fatigue?
The general public is starting to react less and less to these massive breaches, what is commonly known as breach fatigue. We have become so desensitized to data breaches happening at huge companies that it’s hard to imagine consumer behavior changing all that much, if at all. And if the free market isn’t changing the behaviors of behemoths, can we count on the various state and federal government agencies and regulations?
The EU’s GDPR has real teeth, as does, potentially, the California Consumer Protection Act (CCPA, coming in 2020). In fact, it will be interesting to see how the EU views the Marriott breach. No company could easily shrug off a CCPA-type fine for a breach of this size! Creating regulations like GDPR and the CCPA are a start because they address how all users are affected by data privacy (and lack of it). More recently a dozen State Attorney’s General grouped together to sue an Electronic Medical Records company under HIPAA for a data breach. A first of its kind. But what else can be done?
Give data security a promotion.
From a governance perspective, data security needs a promotion from the tech department to the board room. One problem with how we approach data security is that most companies haven’t yet made the leap in mindset to the digital age. They still invest the majority of their cybersecurity as though we operate in a closed network where you can just circle the wagons around data.
Instead, we need to focus on where data flows and implement controls at the point of use. Spread the responsibility throughout the organization rather than relying on the CISO for all security measures. Strategic security decisions, better education about the right type of cybersecurity investment to make where – important for large and small organizations – needs to happen at the board level as well as the stakeholder level.
Let’s move from glitzy cyber tools to the hard yet sensible work of risk management and better administrative safeguards. Give data privacy and security the attention it deserves at the boardroom level, not just as a budget line item. Push the excellent NIST resources and framework more resolutely. And maybe – at the federal level – we could even move toward rewards for those who invest in data security excellence. Perhaps the motive for data security lies in recognition for excellence versus headlines for fines? Do you agree?