Privacy Penalties and the Dangers of Non-Compliance

Frequently public cyberattacks have hardened expectations about privacy. While data breaches, privacy violations, and the compromise of sensitive information are becoming "business as usual," they expose consumers and businesses to significant and often unnecessary risks. 

Recent high-profile cyber security breaches illustrate the extraordinary costs that failing to maintain robust and effective cyber defenses presents across industries. 

The examples below reveal that companies incur significant losses due to financial settlements, steep regulatory penalties, loss of reputation, and penalties. 

Investing in simple, cost-effective products Zero Trust Data protection solutions can save businesses anywhere from a few hundred thousand to a billion dollars in losses. 

T-Mobile: $350 million

In July 2022, mobile communications giant T-Mobile announced the terms of a settlement for a consolidated class action lawsuit following a data breach that occurred in early 2021, impacting an estimated 77 million people. 

The incident centered around “unauthorized access” to T-Mobile’s systems after a portion of customer data was listed for sale on a known cybercriminal forum. An SEC filing revealed that T-Mobile would pay an aggregate of $350 million to fund claims submitted by class members, the legal fees of plaintiffs’ counsel, and the costs of administering the settlement. The company would also commit to an aggregate incremental spend of $150 million for data security and related technology in 2022 and 2023.

 

Morgan Stanley: $120 million (total)

In January 2022, investment bank and financial services giant Morgan Stanley agreed to pay $60 million to settle a legal claim relating to its data security. 

The agreement resolves a class-action lawsuit filed against the company in July 2020 regarding two security breaches that compromised the personal data of approximately 15 million customers. 

According to claimants, Morgan Stanley failed to protect current and former clients' personally identifiable information (PII). A software flaw meant unencrypted, sensitive data was visible to whoever purchased the equipment.

The claim settlement comes more than a year after Morgan Stanley was handed a separate $60 million civil penalty by the Office of the Comptroller of the Currency (OCC) about the same incidents. 

Colonial Pipeline: $5 Million Breach

In May 2021, the Colonial Pipeline, an American oil pipeline system servicing the Southeast United States, was the victim of the most significant cyberattack on an oil infrastructure target in the history of the United States. The attack by the Russian group Darkside forced the company to halt all operations to contain the damage. Within a matter of hours, and under FBI oversight, Colonial Pipeline Company paid a ransom of roughly $5 million. However, the time required to repair the system resulted in substantial stresses to American fuel supply lines. It forced the Federal Motor Carrier Safety Administration (FMCSA) to issue an emergency declaration to keep supply lines operational in the days immediately following the attack. Gasoline was unavailable for weeks on much of the eastern seaboard.

SolarWinds: $20 - 90+ Million Breach

Hackers first gained access to Texas-based software company SolarWinds in September 2019. By inserting malicious code into the system used by major firms like Microsoft and top government agencies a year prior, the breach went undetected until December 2020, putting thousands of individuals, businesses, and US national interests at risk. While estimates vary widely, the breach appears to have cost between $20 and $90 million so far. American businesses and government agencies could spend upward of $100 billion over many months to contain and fix the damage from the Russian hack against the SolarWinds software used by many Fortune 500 companies and U.S. government departments.

OPM Breach: $500 Million - 1 Billion

The 2014-2015 breaches experienced by the US Office of Personnel Management (OPM) provide yet another example of the severe and real-world consequences of insufficient digital protection. 

Between 2014 and 2015, OPM had two data breaches. 

In one incident, when an unauthorized party accessed investigative records, they stole the sensitive data of 21.5 million individuals. 

As part of the breach, sensitive personal information, including names, addresses, and social security numbers, was compromised. Some individuals had their fingerprint data and credentials leaked. While most individuals victimized were in the system of their own volition due to their background check application, some 1.8 million non-applicants’ information was revealed. 

Once the breaches came to light, OPM offered services such as identity theft insurance and credit monitoring to those affected. The total cost of the incidents is unknown, although estimates suggest they range from $500 million to $1 billion.

Equifax Breach: $2 Billion-Plus 

In September 2017, credit reporting agency Equifax announced a data breach. Attackers obtained personal information about customers, including names, social security numbers, dates of birth, and more. Ultimately affecting 147 million Americans, the breach was one of the most extensive and expensive in history. It has put millions of people at risk of identity theft, a situation that has created a significant amount of anger given the expectations of credit bureaus and the inability to avoid them. 

Equifax responded in several ways. Along with credit monitoring services, free credit freezes have become standard, and more regular access to credit reports to look for possible fraudulent activity. In 2019, Equifax agreed to a $700 million settlement with the government, which only scratched the total cost surface. By 2020, the total cost had reached nearly $2 billion. It is 

still possible that the total number will rise.

The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act, requires financial services institutions (FSIs) to explain their information-sharing practices to their customers and to safeguard sensitive data. FSI must implement and maintain a comprehensive information security program, especially for Anti Money Laundering (AML) and Know Your Customer (KYC) regulations. 

FSIs must protect all customer information in transit over external networks and at rest. Unfortunately, these procedures often break sales workflows and frustrate essential customers. However, because organizations can be fined up to $100,000 for each violation and organizational leadership face personal fines of up to $10,000 and up to 5 years in prison, noncompliance is not a wise choice. 

Equifax failed to protect their customer information by syndicating user information to worldwide for their partners to monetize, which led to the breach and the financial penalties.


Veteran’s Affairs Breach: $20-500 Million

In 2006, Veteran’s Affairs experienced a costly data breach. An unencrypted hard drive was stolen from an employee’s home. The hard drive contained sensitive personal information about approximately 26.5 million veterans and their spouses. Along with names, dates of birth, and Social Security numbers, some records also included disability ratings. 

Though a $20 million settlement was announced in 2009, a 2006 estimate of the total cost was much higher. Including the expense of preventing or covering losses related to the stolen data, the price tag was around $500 million. 

Beyond these costs, Veteran’s Affairs risked facing penalties imposed by the Federal Information Security Modernization Act (FISMA). FISMA applies not only to all agencies within the US federal government but also to state agencies administering federal programs, such as unemployment insurance, student loans, Medicare, and Medicaid. Penalties for violations range from formal censure from Congress to reductions in public funding.


Target Air Conditioner Repair Breach: $300 Million

In November 2013, hackers accessed the air conditioner repair company Target’s customer payment card information. Using network credentials stolen from HVAC service providers, hackers exposed approximately 40 million card accounts, creating millions of opportunities for fraudulent charges. 

Eastern European and Russian hackers were allegedly responsible. It was initially difficult to determine because the affected data hit multiple crash sites, many of which may have been compromised systems designed to hide data unknown to the system owner effectively. 

Through a multi-state settlement in mid-2017, Target was to pay $18.5 million. However, this is only part of the total cost. The class action resulted in a multi-million-dollar settlement. There were separate settlements with Mastercard and Visa, as well as various banks and credit unions. According to Target's financial report, combine that with legal fees and other expenses, and the total was around $300 million.

Target was also subject to Payment Card Industry Data Security Standards (PCI DDS) as an organization that accepts payments by card. Developed by the payment card industry, PCI DDS mandates that card-accepting organizations must meet 12 requirements related to securing payment card information. Those standards include protecting the transmission of cardholder data across open, public networks and stored cardholder data. Being in breach of PCI DDS exposes organizations to minimum fines of $5,000 per month and maximum penalties of $100,000 per month. 

Salinas Valley Memorial Healthcare System Breach: $0.34 Million Breach

In the medical sector, the example of Salinas Valley Memorial illustrates the risk of email breaches. The California healthcare system reached a $340,000 settlement with 2,384 patients impacted by a hack of its email systems in mid-2020.

Fines for breaches of the Health Insurance Portability and Accountability Act (HIPAA), like that of  Salinas Valley Memorial, are calculated based on the number of medical records exposed. Fines range from $50-$50,000 per record, and although penalties are capped at $1.5 million per year, organizations may receive the maximum fine for multiple years. Violators may even face prison time ranging from 1 to 10 years. One example of the penalties sometimes levied against those violating HIPAA comes from a 2013 case. In this instance, Advocate Health Care (AHC) was forced to pay $5.5 million after a company laptop was stolen out of an unlocked car, exposing nearly 4 million medical records. 

Penalties

HIPAA
For HIPAA, the fine is calculated based on the number of medical records exposed, with fines ranging from $50-$50,000 per record. Violators may even face prison time ranging from 1-10 years. Fines are capped at $1.5 million annually, but organizations may receive the maximum penalty for multiple years.

GLBA
Organizations are fined up to $100,000 for each violation of the Gramm–Leach–Bliley Act (GLBA) law, and the officers and directors of the organization may be fined up to $10,000 personally. Individuals may face up to 5 years in prison.

FISMA
The Federal Information Security Modernization Act (FISMA) applies primarily to federal agencies, the penalties range from formal censure from Congress to reductions in public funding.

 

PCI DDS
Under the Payment Card Industry Data Security Standards (PCI DDS), organizations must meet 12 requirements related to securing payment card information. Being in breach of PCI DDS exposes organizations to minimum fines of $5,000 per month and maximum fines of $100,000 per month.

Outcomes

As the above cases illustrate significant reputational, financial, and human costs are associated with failing to maintain compliance and protect data. While everyone should take cybersecurity seriously, those working in critical infrastructure or handling sensitive data are particularly vulnerable. 

The logical response to the rising likelihood and increasing potential costs of data breaches is vigilance. Awareness and education are essential to understand the importance of proper safeguards better. Having a contingency plan in place can help companies take steps to prevent costly cyber-attacks. Ultimately, your commitment to compliance will determine your reputation and make or break your ability to win contracts in increasingly regulated verticals. 

Zero Trust

As companies collect more data, they become increasingly vulnerable to breaches and security incidents. A network is only as secure as its weakest link. Cyber risk increases exponentially for a city with hundreds and possibly thousands of sensors, data channels, data stores, data processing units, departments, and service providers. Zero Trust Architecture (ZTA) is one emerging technology that shows a great deal of promise for protecting these projects. Zero Trust is a novel approach to managing risk in highly complex communications and computer networks. Traditional technology risk models are built on compliance frameworks that focus on tracking technology assets. Unfortunately, compliance-based risk management cannot cope with today’s changing technological and geo-political landscapes. In contrast, Zero Trust is a continuous process of re-calibrating policies and monitoring infrastructure assets in real-time to ensure system fidelity.  Unlike the classic internet model based on implicit trust - where users are assumed trustworthy until they prove untrustworthy -  Zero Trust means that network users and their devices are not blindly trusted and granted access to sensitive networks or information. Zero trust authenticates everyone and everything. Under Zero Trust, security starts at the data creation; i.e. only an authenticated and authorized device and system can connect and access data.

The strength of the Zero Trust approach is increasingly being recognized. In fact, the US Government recently mandated a Zero Trust architecture to ensure regulated data is only used by authenticated and authorized systems. ZTA provides a technology to protect privacy, ensure security, and maintain compliance. 

The System is Broken

As companies increase their reliance on connected systems, adversaries seek to exploit vulnerabilities in financial, enterprise, medical, infrastructure, and e-commerce systems. Unfortunately, compliance-based risk management cannot cope with today’s changing technological and geo-political landscapes. In their current forms, smart city platforms and services often fail. With the increasing sophistication of hackers and cyberattacks, human error, and the proliferation of connected devices, network-focused security is an increasingly insufficient and impractical method of delivering cybersecurity. In their current forms, smart city platforms and services often fail. 


Solutions

XQ Zero Trust enables policy-based access to any digital resource on owned infrastructure, across disparate networks and remote data access control. Traditional cyber security protects the app, identity, and network and leaves data to fend for itself. When a threat actor breaches your perimeter your valuable data can be exposed or exfiltrated.

Zero Trust Data cybersecurity and compliance strategy represent a fundamentally different approach to cyber security protocols. XQ technology protects information by verifying the identity of the endpoint user, employing constant verification and crypto agile, quantum-resistant encryption. 

XQ’s SMART Zero Trust architecture is future-proofed and built for tomorrow's security threats. XQ provides developers with the easiest way to incorporate data security into their applications to protect existing and future customers' data. Applying a Zero Trust model is the only way to stay ahead of the rapidly evolving future threats. These technological advancements make incorporating security into the code essential to keeping data safe and authorized. 

Significant reputational, financial, and human costs are associated with failing to maintain compliance and protect data. While everyone should take cybersecurity seriously, those working in critical infrastructure or handling sensitive data are particularly vulnerable. Awareness and education are essential to understand the importance of proper safeguards better. Ultimately, your commitment to compliance will determine your reputation and make or break your ability to win contracts in increasingly regulated verticals. 

XQ’s user-friendly, unobtrusive, and efficient products change the compliance experience. With XQ, achieving compliance doesn’t have to be a headache. It can be fast, affordable, and accessible. 

XQ can help: identify and assess cybersecurity threats, protect assets from cyber intrusions, detect when systems and assets have been compromised, and support AML and KYC validation. 

XQ’s Business Email Compromise (BEC) solution using encrypted email would have protected both OPM and Salinas from exposure to these attacks. Given the recent sharp increase in business email compromise, investing in robust protection is wise. With XQ, businesses can receive immediate notification and information about the origins of a BEC. XQ helps reduce the risk of a breach and reduce the time a bad actor has access - from months to minutes.

The type of attack SolarWinds experienced, where a malware update is used to allow Trojan software updates to replace existing binaries and then maliciously exploit access to the network and system, and the Colonial Pipeline attack, are preventable with XQ Gateway. When software is to be deployed to the AVATAR system, the developer will create an encrypted hash of the binary, which is stored in an XQ database. 

The receiving platform will have an XQ software agent, which will verify the identity of deploying software. If this hash is identical to the hash stored in the XQ database, its tamper-free status is verified. This technique can confirm the model has not been altered.

Investing in simple, cost-effective products like XQ’s Gateway, Business Email Compromise (BEC), or Vault would have saved these businesses anywhere from a few hundred thousand to a billion dollars. 

Communications

Outlook, Gmail & chat integrations let you use the apps you love without trusting them with your data.

Transfer

World's first Zero-Trust Data Gateway is an ideal VPN alternative. Get peace of mind when your data moves.

Vault

Stop trusting 3rd party security with your files. Share massive files in your own cloud & control who sees them, where, & when.

Previous
Previous

New DoD Zero Trust Data Guidelines

Next
Next

Transfer: XQ Zero Trust Data Protection Gateway - Part 3