When it comes to data breaches and the legislation governing them, you can divide the laws into two different camps: the ones where a monetary penalty is assessable and the ones where it isn’t. The use of data security software like AlertBoot managed disk encryption for laptops can provide safe harbor from such fines, which many view as a positive exemption to a well-designed legal policy – that is, it encourages a good data security practice. However, there are many who wonder whether the use of financial incentives is the correct approach to stemming the growing tide of data breaches.
Wouldn’t it be better if the money is used for IT upgrades, employee education programs, hiring outside experts, etc. – as opposed to filling the coffers of government agencies?
An outside survey commissioned by the Information Commissioner’s Office (ICO) in the UK seems to suggest that the answer is “no.” There is nothing that attracts more attention to the issue or prods people to clean up their act than the transfer of dollars (or Pounds sterling, as it were).
60 Pages of “The Obvious”
The survey, commissioned by the ICO and carried out by SPA Future Thinking, involved a total of 99 organizations: 14 that received a Civil Monetary Penalty (CMP) notice and 85 online survey takers who decided to participate.
The ensuing report is quite long (60 pages) but organized in the way of a PowerPoint presentation, so reading it is less arduous than you may believe.
Ultimately, this is the point and conclusion of the report: the CMPs work as designed. It spurs affected organizations to increase awareness of the importance (and duty) they have when it comes to protecting personal data, up and down the entire organizational hierarchy. Furthermore, other organizations in the same or similar sectors are also provoked to upgrade their security, because of fears that they, too, could be on the wrong end of an ICO monetary penalty notice. (Apparently, it’s not uncommon knowledge that anyone can be the victim of a data breach.)
One of the most notable results of a CMP is that there is more “buy-in” for data protection from senior management after the fine. (And the breach itself, it is argued by some. But, honestly, the latter requires a comparison with companies that had a data breach but weren’t issued a CMP, which were not part of the survey).
There are also claims that the reputational hit that an organization took had more of an impact on effecting changes than the financial penalty. This is contradicted, however, by overwhelming admissions that the reputational hit was either short-lived or nearly non-existent. In addition, I note that nobody – absolutely nobody – appears to have complained about their reputation being sullied but a significant majority had some choice words about the fines.
Overall, the report is a pretty interesting read but nothing about it appears to be earth-shattering.
This report is the only one of its kind, as far as I know: Reports that try to show the effects of HIPAA fines, FINRA fines, state fines / settlements (e.g., Massachusetts’s AG has extracted “financial concessions” on a number of companies), and other penalties similar to the ICO’s CMP are non-existent. However, I feel that if any reports I missed were to come to my attention, they’d show the same conclusion.
At AlertBoot, we’ve personally found that HIPAA’s Final Omnibus Rule appears to have had a significant impact on covered entities and business associates. We’ve seen a growing adoption of full disk encryption as well as increases in inquiries beginning around this time last year, which represents approximately 60 days prior to the Final rule taking effect. It is still strong, although we’ve seen a boost due to TrueCyrpt’s recent troubles.
With such results, it’s hard to argue against monetary penalties. When stern warnings and carrots don’t work, it’s time to start carrying a large stick and speaking softly.
Related Articles and Sites: