Hefty New Fines for Data Breaches
Paul Roberts wrote a fascinating article for ‘The Digital Guardian’ about the massive 2015 Hilton data breach.
To refresh your memory; in 2015, the Hilton hotel company suffered criminal-intent data breaches that exposed hundreds of thousands of customer credit card records. Last week the New York Attorney General gave Hilton a US$700k fine for the breach.
Paul Roberts’ post talks about the fine levied against Hilton and points out that although the judgement is not a significant penalty for a company the size of Hilton, the consequences of such incidents for companies are set to change dramatically, and soon.
Stringent GDPR Regulations Coming in 2018
In May 2018, the EU will introduce a new regulation; the ‘General Data Protection Rule.’ Under this new regime, any company doing business in the EU - or even just selling goods or services to EU citizens - will be subject to penalties up to 4% of their annual revenue.
In his article, Paul Roberts invites us to imagine the different situation Hilton would be in had their data breach case happened after the introduction of the GDPR. On top of their relatively insignificant US$700k fine from the NY Attorney General, Hilton would also potentially be facing a whopping US$420 million penalty from the EU. The Hilton data breach involved the exposure of about 360,000 credit card records; so under the new EU rules coming into effect next year, Hilton’s penalty would go from about US$2 for each exposed file to around US$1,200 each. That’s a big difference in anybody’s books.
This article is a wake-up call for all business owners because whether you’re an international corporation or just a small business with EU customers, as of May next year that’s going to put you under the auspices of the GDPR, and its hefty fine schedule.
From a cybersecurity perspective, the incoming GDPR obviously means an even bigger incentive to create tight, effective security around sensitive data. But there’s another dimension to this issue that is widely misunderstood; the vectors through which these sorts of breaches are perpetrated. Most of the time, big corporate data breaches are not the result of hacking, they are caused by human vulnerabilities exploited through email scams.
How Can We Better Prevent Data Breaches?
I spend a lot of my time talking to CxO’s about their concerns around cybersecurity. There’s a widely held misapprehension amongst business leaders that data breaches are the work of hackers attacking company’s security defences directly, or combing through millions of pages of files looking for vulnerabilities. In reality though, the vast majority of cybercrime is perpetrated through relatively simple, email-based attacks. Criminals looking to gain access to the sensitive data held by corporations use the same devious techniques that scammers employ; bogus login invitations, fake alert emails and the like.
The reality is that in about 90% of corporate cybercrime, email is the method of attack favoured by criminals. They deceive employees into clicking on malicious email links which can collect their login credentials and expose company data. It was an attack of this sort that led to the Hilton data breaches in 2015.
The corporate losses from criminal-intent email attacks are climbing steeply, year on year. Starting in May next year, the potential losses from such cybercrime incidents will be compounded by the stringent penalty regime of the GDPR.
Companies who formerly regarded data breaches as an unavoidable cost of doing business will need to adjust their thinking, and examine their cybersecurity strategy more carefully if they want to avoid being hammered by hefty EU fines.
Preparation is Key to Managing GDPR
My own experience with email-based cybercrime and the experiences of my peers have been the driving force of my work building better email security. When there are billions of dollars at stake, and all it takes to steal your data is a cleverly worded email, the challenge for business leaders is not whether to take email fraud seriously, but when.
In his Digital Guardian article, Paul Roberts is sounding a timely warning for all of us in the corporate world. It’s reasonable to expect that the EU’s GDPR will be setting a trend in international regulatory standards. The US Government has been debating these kind of more aggressive rules for years. The Australian Government is bringing in strict new rules with the ‘Notifiable Data Breaches’ law in February next year.
With mounting pressure on governments globally to do more to close the gaps in cybersecurity, we will be seeing much higher standards for compliance everywhere. Forward-thinking business owners and CxO’s who move now to implement better strategies will come out ahead of the curve. The alternative for business is struggling to mitigate the impact of massive future penalties.
How to Get GDPR Compliant:
The coming wave of more effective and punitive cybersecurity compliance regulation is a real challenge for all business people and CxO’s.
In the big picture this is a positive development, because it will create a safer and more trustworthy digital marketplace for all of us, but in the
short term it means putting some thought into how to rise to this challenge.
I’ll be continuing to talk about the GDPR and cybersecurity compliance more broadly on this blog, and on my social media feeds.
Don’t hesitate to reach out to me if I can help answer your questions about the GDPR, or cybersecurity compliance.
I’m looking forward to hearing about your experiences with online crime, and also about the challenges you are facing in this arena.
Read More About the GDPR:
For detailed information about the incoming GDPR regulations and their ramifications for corporate leadership and cybersecurity, visit the EU’s Justice website.