Global data protection regulations (new or updated) are being enforced aggressively, resulting in a tsunami of hefty fines and penalties handed out to violators. The majority of these violations are a result of the failure to conduct regular risk assessments, which form an integral part of the ‘appropriate measures’ a business must take to ensure information security.
For example, in 2017, credit agency Equifax lost personal and financial information of nearly 150 million consumers due to an unpatched Apache Struts framework in one of its databases. Regulatory authorities found Equifax guilty of “failing to take reasonable steps to secure its network” and the credit agency was mandated to pay a hefty fine, valued at potentially $700 million, which it is still paying to the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB) and all 50 U.S. states.
If only Equifax had implemented an ongoing risk assessment strategy, it could have avoided the subsequent financial fallout and reputational damage. A single risk assessment would have helped Equifax uncover and fix the patch-related vulnerability promptly.
You must understand that regulatory agencies don’t expect you to cast a magic spell that can indefinitely protect your network from threats. They simply strive to hold you accountable for the steps you need to take to ensure consistent data protection and privacy. For example, the most enforced HIPAA audit requirement out of a total of 180, which has been cited in more than 50 percent of recent penalties, is accurate and thorough risk analysis.
Here are a few instances where businesses were pulled up by the regulatory bodies and slapped with hefty fines for the lack of a risk assessment and management strategy. This will help you understand how risk assessment can go a long way towards building a resilient cybersecurity defense and demonstrating full compliance.
Marriott International Shelling Out Over €20 Million
Marriott International, Inc. was fined a whopping €20,450,000 in fines for failing to implement sufficient technical and organizational measures to ensure information security. The basis of the fine was Article 32 of the General Data Protection Regulation (GDPR), which clearly states the need for “a process that regularly tests, assesses and evaluates the effectiveness of technical and organizational measures to ensure the security of the processing.”
Capital One Fined $80 Million
In 2019, Capital One suffered a breach affecting 100 million people in the U.S. and 6 million in Canada. By exploiting a configuration vulnerability in the company’s web application firewall, an “outside individual” obtained personal information of Capital One’s credit card customers as well as people who had applied for credit cards. The Office of the Comptroller of the Currency fined Capital One $80 million for its “failure to establish effective risk assessment processes” when migrating operations to a public cloud environment.
Premera Blue Cross Coughing Up $6.85 Million
Washington-based health insurance company, Premera Blue Cross, was fined $6.85 million for HIPAA violations for a breach that affected over 10.4 million people. While handing Premera the second-largest HIPAA fine on record, the Office for Civil Rights (OCR) cited “system non-compliance” with HIPAA requirements. The OCR concluded that Premera had failed to conduct a risk analysis, implement risk management, or put audit controls in place.
It goes without saying that if all three companies paid heed to expert compliance advice and implemented a meticulous risk assessment and management strategy, their balance sheets would have looked significantly different.
Several data regulations have defined the importance of risk assessment in ensuring data privacy and protection. For example, the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) clearly mandates covered entities and its business associates to conduct a risk assessment. By merely implementing this cybersecurity best practice – continuous risk assessment – you will be able to significantly reduce the likelihood of a security breach and a compliance audit; both of which can lead to a tremendous loss of revenue. Think about all the financial implications you could avoid. That should convince you.
Implementing a comprehensive risk assessment and information security strategy as part of routine operational procedures is no easy feat. You need specialized tools and experienced and dedicated support to ensure you get thorough and accurate risk assessments regularly to achieve and maintain compliance obligations. Compliance is complicated and stressful, which is why partnering with an IT and Data Security specialist can help you simplify the risk assessment process and take the chaos and confusion out of compliance.
Article curated and used by permission.
The Shark Eye Tech team has been invaluable to our law firm over the last decade. They provide expert and prompt IT support to our firm and assist us in keeping up with technology that will assist with our productivity and our security.
Recently they provided expert guidance on helping us evaluate and establish a paper free process in our law firm.
Turner, Huguet, Adams & Farr
Attorney at Law