Advisen Loss Insights: Paying the cyber penalties

According to Advisen’s Loss Insights Database, 2014 represented a major year for settlement of cyber-related cases that resulted in fines and penalties, reflecting the many cases that occurred in previous years but were settled just last year. The increase in fines and penalties in recent years also reflects the fact that more states passed data breach notification laws and more activity on the part of federal regulators such as the Federal Trade Commission (FTC) in investigating cyber events and penalizing the organizations that do not properly safeguard their data.

While the vast majority of fines and penalties end up hitting organizations for less than $1,ooo, there are a few outliers that send a clear message that regulators mean business when investigating cyber incident. Approximately 15 percent of all fines and penalties add up to more than $1 million and one percent top the $10 million, according to Advisen data. The current record goes to the 2007 settlement of the data breach at TJX Companies, one of the first major hacker intrusions into a national retailer.

Despite the many breaches suffered by  retailers and the clearly tempting repository of data they hold for cybercriminals, wholesale and retail are not hit with the highest fines and penalties, according to Advisen data. The “services” category composes the largest group experiencing fines and penalties relating to cyber events and that tally has only grown in recent years. The finance, insurance, and real estate sectors are not too far behind, however, being subject in many cases to additional regulatory scrutiny due to the sensitive information they hold. Fines against these organizations, as well as public administration, have decreased since 2011, after occupying a much higher spot before 2005.