Will downward trend of cyber-related fines & penalties reverse?

In the United States there is no comprehensive piece of legislation that broadly regulates a company’s possession and use of consumer data.

Instead, there is a patchwork of more than 20 federal laws with privacy and data security provisions and numerous state data protection and/or breach notification laws. Some of the most stringent federal laws are designed for specific industries or populations. Examples include:

• Health Insurance Portability & Accountability Act (HIPPA) (Healthcare)
• Health Information Technology for Economic & Clinical Health Act (HITECH) (Healthcare)
• Gramm-Leach Bliley (Financial)
• Children’s Online Privacy Protection Act (COPPA) (Applies to data of children under 13 collected online)
• USA Patriot Act (applies to data that resides or flow through the U.S.)

Enforcement of privacy and data security laws falls on a variety of regulators depending on the industry. For example, HIPPA is regulated by the Department of Health and Human Services (HHS) and COPPA is regulated by the Federal Trade Commission (FTC).

According to Advisen’s Loss Insight Data, some notable cases include:

• Google Inc.: Google was fined $22.5 million by the Federal Trade Commission (FTC) to resolve allegations that it duped millions of Web Surfers who use Apple Inc.’s Safari browser. Google had assured people that it wouldn’t monitor their online activities, as long as they didn’t change the browser setting to permit the tracking. Google broke the promise, according to the FTC, by creating a technological loophole that enabled the company’s DoubleClick advertising network to shadow unwitting Safari users.
• WellPoint: Insurance Company, WellPoint, was fined $1.7 million by the U.S. Department of Health & Humans Services (HHS) for exposing more than 600,000 personal records online due to weak database security.
• ChoicePoint, Inc.: Consumer data broker ChoicePoint, Inc. acknowledged that the personal and financial records of more than 163,000 consumers in its database had been compromised. As a result, it agreed to pay $10 million in civil penalties and $5 million in consumer redress to settle FTC charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws.

Although there is not a federal privacy and data security regulation that applies to all companies in all industries engaged in interstate commerce, the FTC is increasingly flexing its muscles.  Thanks to a recent court decision, the FTC has confirmed its authority to take action against companies on behalf of consumers for failing to safeguard their data.

In last month’s data security case FTC v. Wyndham Hotels Corp., et al, a Federal District Court ruled that the FTC has authority under the FTC Act to bring enforcement actions against companies who cause harm due to weak data security practices. Wyndham argued that Congress did not intend for data security laws to be regulated under the FTC Act because it passed a variety of data security laws to regulate specific industries and populations.

ALSO READ: FTC shines data security badge after Wyndham ruling

This decision opens the door for the FTC to continue to take action against companies who do not take the necessary steps to protect consumer data.

Cyber Relate Fines & Penalties over Time

This chart shows the number of cyber-related fines and penalties over time. Although the number of penalties has tailed off in recent years, increased data security awareness due to recent high profile breaches and the Wyndham ruling may reverse this trend in the coming years.

Cyber Cost Distribution

Among the different costs associated with cyber-related cases, fines and penalties by far make up the smallest portion. This may change in the future, however, if congress creates a national data protection and breach notification law.

 Relative Incidence Rate by Industry

“Finance, insurance, and real estate” is the industry with the largest relative incidence of regulatory fines and penalties. The relative occurrence rate is derived by taking the number of cases over the number of businesses in each respective industry. A highly targeted industry by cyber criminals, the financial industry has been the focus of regulations such as The Graham-Leach-Bliley Act (GLBA) which includes a provision requiring financial services companies to establish privacy safeguards to protect consumer information and to alert consumers in the event of a data breach.