Why Big Breach Fines Don’t Equal Fewer Breaches

Despite trillions of dollars in breach fine payouts, each year the number of compromised companies and individuals with private data exposed rise.

Breach statistics are downright discouraging: Over the past five years the number of businesses breached has skyrocketed. The human consequences are also bad, with billions of private email addresses, bankcard numbers and other deeply personal data points exposed online and now in the hands of hackers.

Regulators are trying to combat the problem by “encouraging” companies to shore up their data-privacy defenses by way of levying fines — but it’s unclear whether these measures are moving the dial in terms of enterprises’ security postures.

Some of the fines seen so far aren’t chump change: This summer, British Airways-owner IAG was slapped with a $230 million fine by UK regulators for its high-profile 2018 breach. Equifax meanwhile recently said it would pay a minimum of $575 million tied to its 2017 data breach. And, the EU’s introduction of General Data Protection Regulation could exact an even higher financial penalty on breached companies going forward, given a provision that fines can run up to $25 million or 4 percent of annual revenue. So far, Google has seen the largest GDPR penalty, slapped with a $57 million fine for lacking in transparency when it comes to how it collects and handles user data for serving up personalized ads.

Fines Creep Up and So Do the Number of Breaches

Citing 2019 statistics, Jim Barkdoll, CEO of Titus, noted that this year has already seen 3,800 breaches, a 50 percent jump over the past four years. Penalties have risen, he said, but the breach epidemic continues as more companies shift infrastructure to the cloud.

“We’re seeing more penalties, as nothing really existed before GDPR,” he said.

In the States, all 50 states have enacted legislation requiring private or governmental entities to notify individuals of security breaches and in many cases come with hefty fines, including tough new state-level laws such as the California Consumer Privacy Act. But, as the Equifax breach indicates, those fines aren’t limited to being levied by a single state. Equifax’s fine encompasses payments to the U.S. Federal Trade Commission, the Consumer Financial Protection Bureau, 48 states, Washington D.C. and Puerto Rico.

So Do Bigger Fines Equal Better Data Stewards?

Security experts are skeptical that the billions of dollars in fines that companies face (and have paid) have actually made them better stewards of the they data collect and and are supposed to safeguard.

“I don’t think so,” said Matthew Gardiner, Mimecast’s cybersecurity strategist. He equated the uptick in breaches to a “widespread public health problem” that can’t be fixed punitively.

“While some organizations are no doubt reckless stewards of data and intellectual property, the problem of security and resilience is a very challenging one,” Gardiner said — one that can’t be fixed with such a blunt instrument as a fine.


What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.


“Penalizing organizations after the breach does little to move the security needle in a positive direction. It just adds more cost and complexity to the post-breach management challenge,” he said, adding that this also makes it harder for companies to afford a rollout of better security.

Others disagree.

“If penalties are high enough, the sheer dollars alone will put you in the crosshairs of your board to ensure your business doesn’t get hit with one of these penalties,” said James Carder, CISO and vice president of LogRhythm Lab. “The penalties for GDPR are up to 4 percent of your global revenue — that’s a significant amount to the business’ bottom line.”

Since those types of figures elevate the profile for data protection to the board level, it should equate to more commitment and investment in data protection, he said.

How to Protect Data, In Lieu of Fines

Colin Bastable, CEO Lucy Security, said that curing the data-breach epidemic has less to do with fines and regulations, and more to do with changing business models.

“Kill the ‘if it is free, you are the product’ market. Make it illegal to hold consumer data without annually renewing contracts with each consumer,” Bastable said. “Give consumers personal copyright over their personal data, with rights to sue leakers into oblivion.” He even goes so far as to suggest jail time for repeat offender CEOs and CISOs.

While acknowledging how unlikely his remedies are, he pointed out these draconian solutions are what it would take. “Nothing that would solve the problem is politically viable outside of China or North Korea,” he said.

LogRhythm Lab’s Carder argued that financial penalties are unavoidable. “No matter how you look at it, any alternative will eventually lead to a financial penalty of sorts. If you add an organization to a public ‘wall of shame,’ there is brand damage associated with that,” he said.

Thus, once you factor in the other costs of a breach (clean-up costs, loss of productivity, consumer backlash and brand damage), you’re looking at a significant financial “penalty,” even if it’s not one that was imposed on you by a regulator, Carder said.


What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.


A 2018 study by CompariTech analyzed 28 companies that suffered breaches to see what impact it had on stock performance. It found that those companies, such as Apple, Adobe, Home Depot, Staples and Yahoo, had underperformed on the stock market post-breach.

Stock performance doesn’t include costs associated with customer remediation, loss of customers, business disruption, legal costs and notification costs. Those can add up to $158 per record breached, according to Ponemon Institute’s 2016 Cost of Data Breach Study (PDF).

Turning the Corner on Better Breach Protection

data leak

Amongst the rapid growth of the cybersecurity business solutions market, breach-related options, including identity, authentication and access management (IAAM), are among those growing the fastest.

CyberArk founder and CEO Udi Mokady is quoted in a recent Motley Fool article stating that “IAAM is growing so fast because identity-based breaches at businesses are on the rise, and government regulators are cracking down with big fines.”

However, Ensono’s senior director of cybersecurity, David Gochenaur cautioned businesses to be wary of gaining a false sense of security, even with these investments.

“Security firms have created more effective defenses to prevent breaches; however, those defenses tend to parallel the threats they are intended to mitigate. The defenses haven’t necessarily moved ahead of the threats,” he said.

To fill the gap, some of the onus has shifted onto law enforcement to discourage criminals from conducting breaches. Many experts however feel that police, FBI and others are still struggling to put those who perpetrate breaches behind bars.

“This is an eternal game of ‘whack-a-mole’ and too much attention is focused on specific perpetrators,” said Willy Leichter, vice president with Virsec. “The most sophisticated threats are coming from outside the US, and hacker groups are constantly changing and morphing into new threats. Law enforcement will never put an end to cyberattacks.”

Earlier this year, when the Feds targeted the GozNym crime group, it worked with six different countries and indicted 10 suspects. Law enforcement managed to catch five, however, the others remain on the loose, believed to be hiding in Russia.

Is It All for Naught?

For Bastable and many other security experts, stopping breaches has less to do with state-of-the-art cyber-defenses and dogged law enforcement and more to do with human nature.

“Only 3 percent of data breaches are caused by technical exploits,” Bastable said. “People are involved in the other 97 percent. Hackers hack people. CISOs don’t address or control the 97 percent part of the problem.”

The top three breach culprits, according to Titus’ Barkdoll, are: Human errors, phishing and exposed systems — including inadvertent misconfigurations, which have become rampant.

Despite all of this, Chris Vickery, director of cyber risk research at UpGuard, remains optimistic. He noted that breach mitigation has come a long way and is no longer just back-office talk.

“The tech guys are now having discussions about protecting data and breaches in the front office. The C-suite is starting to get it – cybersecurity and tech hygiene is a company’s lifeblood. And companies realize one incident can bring down a large player. So they know they have got to take it seriously,” Vickery concluded.

What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.

Suggested articles