There are now a bunch of laws that require companies to publicly disclose a data breach and provide guidance to the victims associated with the lost data. In a growing number of cases there are even fines to be paid for very large, or very public, or very egregious data breaches and losses of personal information.
I often wonder what happens to the money once the fines have been paid. I'm sure there's some formula or stipulation as to how the monies are meant to be divided up and to which coffers they're destined to fill. But, apart from paying for the bodies that brought forth the case for a fine, is there any consistency to where the money goes and, more to the point, does that money get applied to correcting the problem?
A couple of years ago during some MAAWG conference of other, I remember hearing a tale of how Canada was about to bring out a new law affecting the way fines were actioned against organizations that had suffered a data breach. I have no idea whether these proposals were happening, about to happen, or were merely wishful thinking... but the more I've thought on the topic, the more I'm finding myself advocating their application.
The way I envisage a change in the way organizations are fined for data breaches is very simple. Fine them more heavily than we do today - however half of the fine goes back to the breached company and must be used within 12 months to increase the information security of the company. There... it's as simple as that. Force the breached organizations to spend their money making their systems (and therefore your and my personal data) more secure!
Yes, the devil is in the detail. Someone needs to define precisely what that money can be spent on in terms of bolstering security - but I'm leaning towards investments in technology and the third-party elbow-grease to setup, tune, and make it hum.
I can see some folks saying "this is just a ploy to put more money in the security vendors pockets!". If it's a ploy, it's hardly very transparent of me is it? No, these organizations are victims of data breaches because their attackers are better prepared, more knowledgeable, and more sophisticated than their victims. These organizations that are paying the fine would need to be smart about how they (forceably) spend their money - or they'll suffer again at the hands of their attackers and just have to pay more, and make wiser investments the second time round.
I've dealt with way too many of these breached organizations in my career. The story is the same each time. The IT departments know (mostly) what needs to be done to make their business more secure, but an adequate budget has never been forthcoming. A big data breach occurs, the company spends triple what they would have spent securing it in the first place doing forensics to determine the nature and scope of the data breach, they spend another big chunk of change on legal proceedings trying to protect themselves from lawsuits and limit liabilities and future fines, and then get lumbered with a marginal fine. The IT department gets a dollop of lucre to do the minimum to prevent the same attack from happening again, and they're staved again until the next data breach.
No, I'd much sooner see the companies being fined more heavily, but with half of that wrist-slapping money being forcably applied to securing the organization from future attacks and limiting the scope for subsequent data breaches. I defy anyone to come up with a better way of making these organizations focus on their security problems and reduce the likelihood of future data breaches.
-- Gunter Ollmann