In IT circles, you might hear about the need for better data protection in the enterprise, the challenges of security in an age of BYOD (bring your own device), and the costs of creating an airtight infrastructure that is all but impenetrable to erstwhile criminals.
Yet the reality is that large companies are fined for compliance violations on a regular basis. When it happens, there are issues with reputation management, legal ramifications, and notification that go beyond the simple task of paying the fees and plugging the security hole. In most cases, it is necessary to carry out a lengthy post-mortem after a data breach occurs.
Learn about the fine
Of course, the first step is to determine the amount of the fine, why it occurred, who was involved, and which compliance regulation you have to fix. There's an initial shock over the penalties for a violation, but companies must determine why the fine occurred.
"In the UK, the information Commissioner's Office can levy fines of up to £500,000 [around US$820,000, AU$925,000] for serious breaches of the Data Protection Act and Privacy and Electronic Communications Regulations," says Ian Rowlands, the VP of product management at ASG Software Solutions, a software services company.
He further notes: "The ICO doesn't play favourites! In July of this year the Chief Constable of the Kent Police force received notice (as the designated Data Controller) that his force was to be fined £100,000 [around US$165,000, AU$185,000] for failing to take care of items including 'documents and video/audio tapes containing confidential and highly sensitive personal data about a significant number of individuals.'"
While that is just one example, large companies are fined for compliance violations for amounts ranging from a few thousand to much higher payments in the millions. In the US, violations for HIPAA (Health Insurance Portability and Accountability Act) are more common.
"The amount of fines will vary depending on the jurisdiction, the regulator and the severity of the incident (i.e. number of people affected, the risk of harm, etc.)," says Gant Redmon, the General Counsel at incident response vendor Co3 Systems. "They can be assessed on a per record basis and/or a per incident basis and can easily go into the millions of dollars.
"Fines could be assessed for things like not securing the data properly and for not disclosing the breach according to regulation. In the UK the organisation would most likely incur fines for not taking proper precautions to secure the data, which is in contravention of the Data Protection Act."
Tom DeSot, the CIO at Digital Defense (DDI), a risk management company, says fines can occur for two primary reasons. One is when a corporation commits gross negligence over a compliance regulation. The second is when a company is fined previously for an infraction and doesn't completely fix the problem.
Find the problem
The next steps are to find out how the breach occurred, who was responsible, and why your existing data protection policies and procedures did not work. That involves a post-mortem to examine your IT security infrastructure. The important point here is to be thorough enough to make sure the breach (and any related compliance fines) do not happen again.
"This is a great opportunity for integrated data management – to extend the data inventory (best described in a metadata repository), and make sure the process and communications metadata on any given data asset class is collected, managed and readily accessible," says Rowlands.
"Fixing the problem is about taking corrective and preventative action but that is not all. Your organisation must guarantee that it not only corrects the problem but detects and protects itself from incidents in the future," says Jimmy Lin, Vice President of Product Management and Corporate Development at The Network, a risk management company.