Equifax recently agreed to pay at least $700 million to settle lawsuits from its massive 2017 data breach. It’s the largest data breach financial penalty to date, amounting to about a quarter of Equifax’s annual sales, which were $3.4 billion in 2018.
The penalty is on top of the $1.4 billion that the company already spent on post-breach activities and legal fees.
While $700 million is a significant amount of money, most would agree that large companies like Equifax will remain in business. The fine is a one-time occurrence and bad publicity often becomes smaller and smaller in the rear-view mirror. Stock prices may temporarily drop for a public company like Equifax, but history shows that it will rebound.
What’s an Appropriate Penalty?
We certainly don’t want our nation’s largest companies to go out of business every time there is a cybersecurity issue. But as significant data breaches continue to hit the news with increasing frequency, the question remains: What is the best, most appropriate way to quantify the impact of a data breach on consumers and apply the appropriate penalty?
It’s a question that we will have to ask again shortly. Capital One recently revealed a data breach affecting more than 100 million customers and applicants, nearly the same amount affected in the Equifax breach. And, if current trends continue, there will likely be more data breaches announced before the end of the year.
Applying fines is one approach to improving security—or at least a way to drive stronger focus on security. More companies are facing financial penalties—in addition to Equifax, British Airways is also facing a $224.7 million (£183 million) fine for its 2018 data breach, about 1.5% of the airline’s 2017 revenue. With the new General Data Protection Regulation (GDPR), companies that do business in the EU could face penalties of up to 4% of global revenue for a data breach.
But financial penalties don’t necessarily apply equally. Small and mid-sized businesses (SMBs), which account for about 58% of all breaches, often find it much more difficult to recover from the costs associated with a breach—from the cost of hiring cybersecurity experts to decontaminate their networks to lost sales due to bad publicity. While a large company can often absorb those costs as well as a fine, the same isn’t always true for SMBs.
The ramifications of financial fines are also dulled by cyber insurance. While we don’t yet know if Capital One will be fined, the cost has been estimated between $100 and $150 million; however, the company’s cyber insurance package has a total coverage limit of $400 million.
Other penalty efforts have focused on increasing accountability for company executives, like the CEO. The Corporate Executive Accountability Act proposes criminal liability for negligent executive officers of major corporations. In the U.K., Parliament has recommended that a portion of CEO compensation should be linked to effective cybersecurity. The GDPR places legal obligation on any organization doing business in the EU, with noncompliance resulting in financial penalties.
Could the Attack Have Been Prevented?
The root question in all these scenarios is: What is the full scope of the damage of an attack and was the company truly negligent—could the attack or breach have been prevented? This question is perhaps where we should focus if we hope to see a collective movement toward better security, instead of a perpetual debate and penalties that produce little more than procrastination.
It can be difficult to determine whether a company knowingly abandoned cybersecurity best practices in favor of profits or other priorities, or if they took appropriate cyber precautions and simply missed something that allowed a hacker to gain access. For instance, legacy systems are routinely cited as a vector for malicious attack. But sometimes organizations don’t know they have these systems because they lack the visibility needed to track them. Or, they may choose to run them despite cybersecurity concerns because there is no other financially or technically viable option. In healthcare, for example, many MRI machines run on a legacy operating system (OS), but it’s not unusual for a machine to remain online for 10 years or more due to the cost of buying a new one.
The challenge of figuring out the appropriate consequences for poor security practices is bigger than any one company. Major breaches aren’t just about stealing personal identify and information—they’re also about economic influence. And, the response that seems to be gaining popularity to counter these breaches is financial punishment and fines for organizations and businesses that don’t take security seriously. But, is that approach working, or is there a better way?
Several standards, such as NIST 800-53 and the CIS top 20 critical cybersecurity controls, already exist and may start to serve as the legal standard of care. They’re widely known and many in the private sector and federal government have adopted them as best practices. Failure to patch was identified as one of the primary factors in the Equifax breach—and, patching is also listed as the third CIS control as a part of continuous vulnerability management.
Ultimately, no combination of fines will penalize the real bad guys—the one’s launching attacks from afar. But they may force companies to make cybersecurity a priority. What we can hope is that such financial accountability may ultimately deter cyber negligence and engender a more urgent sense of obligation and public responsibility.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Colby Proffitt is a cyber strategist based in Alexandria, Va. He has more than nine years of experience in the federal IT and cybersecurity space.