Facebook was lucky when the Information Commissioner’s Office (ICO)―the UK’s independent authority set up to uphold information rights in the public interest―hit the U.S. social media company with a 500,000 fine.
Related: Zuckerberg’s mea culpa rings hollow
This penalty was in connection with Facebook harvesting user data, over the course of seven years ― between 2007 and 2014. This user data became part of the now infamous Cambridge Analytica scandal.
Facebook was very lucky, indeed, that its misdeeds happened before May 25, 2018. On that date, the EU General Data Protection Regulation (GDPR) came into force .
If its violation had happened after that, the fine could have been up to 17 million or 4 percent of global turnover. Yet, even with the prospect of stupendously steep fines hanging over the heads, insecure enterprises still don’t grasp the true cost of data privacy complacency.
According to research by one law firm, pre-GDPR regulatory fines hadalmost doubled, on average, between 2017 and 2018, up from 73,191 to 146,412. Those figures pale when stacked against the potential bottom line impact that now exists.Checkbox mentality
This complacency appears to stem from an apparent misunderstanding of requirements to employ cybersecurity technology and procedures that will be effective in preventing, or mitigating the impact, of a data breach. Compliance checkbox ticking is alive and well, making up the sagging security posture in many enterprises.
Heathrow Airport was fined 120,000 when it lost a USB stick containing non-encrypted and sensitive data. The BBC reported at the time a Heathrow statement as saying it “regretted the breach.”
Even with sharper teeth attached to the regulatory fining regime, companies still operate as if non-encrypted data, on a non-password protected USB stick, should be considered acceptable. The ICO found that there was a “catalogue of shortcomings in corporate standards, training and vision.”Compensation limits
Even those organisations involved in law enforcement don’t seem to get it. Earlier this year the Crown Prosecution Service (CPS) was fined 325,000 after it ‘lost’ a stack of DVDs containing police interview recordings of child sex abuse victims ― after this evidence got left in reception for a couple of days and then vanished.
Adjusting the books to compensate for a fine is one thing. But it’s a lot harder to compensate for the damage to brand reputation after a breach of any kind. And compensation claims can add litigation costs into the mix; customers are, quite rightly, a very compensation-happy crowd when they’ve been short-changed with respect to data protection measures.
With Gartner predicting that the worldwide security spend will reach more than 71 billion by the end of 2018, organizations really do need to get to grips with three words: risk, cost and value.
Complacency, or using inadequate solutions when it comes to securing data and content of whatever form, can be much costlier than immediately apparent.
About the essayist:John Safa is founder and chief technology officer at Pushfor , a London-based supplier of messaging and content security systems. He considers himself a maverick with high ideals, seeking to completely change the dynamic of online communication.