Saturday, December 7, 2013

Divvy Up the Data Breach Fines

There are now a bunch of laws that require companies to publicly disclose a data breach and provide guidance to the victims associated with the lost data. In a growing number of cases there are even fines to be paid for very large, or very public, or very egregious data breaches and losses of personal information.

I often wonder what happens to the money once the fines have been paid. I'm sure there's some formula or stipulation as to how the monies are meant to be divided up and to which coffers they're destined to fill. But, apart from paying for the bodies that brought forth the case for a fine, is there any consistency to where the money goes and, more to the point, does that money get applied to correcting the problem?

In some cases I guess the fine(s) are being used to further educate the victims on how to better protect themselves, or to go towards third-party credit monitoring services. But come-on, apart from a stinging slap on the wrist for the organization that was breached, do these fines actually make us (or anyone) more secure? In many cases the organization that got breached is treated like the villain - it was their fault that some hackers broke in and stole the data (it reminds me a little of the "she dressed provocatively, so deserved to be raped" arguments). I fail to see how the present "make'em pay a big fine" culture helps to prevent the next one.

A couple of years ago during some MAAWG conference of other, I remember hearing a tale of how Canada was about to bring out a new law affecting the way fines were actioned against organizations that had suffered a data breach. I have no idea whether these proposals were happening, about to happen, or were merely wishful thinking... but the more I've thought on the topic, the more I'm finding myself advocating their application.

The way I envisage a change in the way organizations are fined for data breaches is very simple. Fine them more heavily than we do today - however half of the fine goes back to the breached company and must be used within 12 months to increase the information security of the company. There... it's as simple as that. Force the breached organizations to spend their money making their systems (and therefore your and my personal data) more secure!

Yes, the devil is in the detail. Someone needs to define precisely what that money can be spent on in terms of bolstering security - but I'm leaning towards investments in technology and the third-party elbow-grease to setup, tune, and make it hum.

I can see some folks saying "this is just a ploy to put more money in the security vendors pockets!". If it's a ploy, it's hardly very transparent of me is it? No, these organizations are victims of data breaches because their attackers are better prepared, more knowledgeable, and more sophisticated than their victims. These organizations that are paying the fine would need to be smart about how they (forceably) spend their money - or they'll suffer again at the hands of their attackers and just have to pay more, and make wiser investments the second time round.

I've dealt with way too many of these breached organizations in my career. The story is the same each time. The IT departments know (mostly) what needs to be done to make their business more secure, but an adequate budget has never been forthcoming. A big data breach occurs, the company spends triple what they would have spent securing it in the first place doing forensics to determine the nature and scope of the data breach, they spend another big chunk of change on legal proceedings trying to protect themselves from lawsuits and limit liabilities and future fines, and then get lumbered with a marginal fine. The IT department gets a dollop of lucre to do the minimum to prevent the same attack from happening again, and they're staved again until the next data breach.

No, I'd much sooner see the companies being fined more heavily, but with half of that wrist-slapping money being forcably applied to securing the organization from future attacks and limiting the scope for subsequent data breaches. I defy anyone to come up with a better way of making these organizations focus on their security problems and reduce the likelihood of future data breaches.

-- Gunter Ollmann

1 comment:

  1. Wouldn't this encourage organisations not to invest in security until a data breach occurs, at which point they know they can then invest 50% of their fine into getting their security right?

    The auto industry (yeah, sorry) uses lawsuits plus product recalls to fix their failures. Could we do the same for data breaches: receive a fine and take down your website _until_ the flaws are addressed?