How companies approach data security controls is changing. Segregation of Access (SoAx) is now just as critical as Segregation of Duties (SoD). Who sees sensitive data is just as important as who changes it.
And just to make sure organizations take access controls seriously, regulations such as GDPR are inflicting major penalties for breaches of private data. And soon, it won’t just be about breaches, it’ll also be about fines being levied for data security audit failures.
When GDPR was enacted, there was alot of confusion around the penalties that would be associated with the exposure of sensitive data. Many companies took a wait and see approach in lieu of enacting data protection measures. Especially around legacy applications, such as ERP systems, where the keys to a company’s kingdom are typically stored.
Couple of reasons. Most companies don’t even have a handle where their sensitive data is even stored. And, in addition, most companies don’t focus on regulatory controls until the penalties are real.
GDPR penalties are real. The penalties associated with many of the state-driven data privacy regulations are real. And now we have some guinea pig companies that show just how real they are.
GDPR was enacted in May of 2018. It took a year before the Information Commissioner’s Office (ICO) nailed a company for a breach of sensitive data.
In 2019, British Airways was hit with a proposed fine of $230m for the exposure of sensitive information. Less than a week later, a second culprit was reported. The ICO has proposed a $124m fine to be assessed to the Marriott hotel chain related to the exposure of sensitive data in over 339 million guest records.
But that’s a European regulation that doesn’t apply to us.
We hear that alot. So, let’s talk about some of the recent US-based breaches and their associated penalties.
In 2013, Yahoo was fined $35m by the SEC and paid an additional $50m in a class action suit for a major exposure of customer data.
In 2015, health insurer Anthem was fined $16m for violating HIPAA regulations and allowing the breach of over 79 million customer records. And that was in addition to the $112m they paid to settle a national class action suit.
In 2017, a breach of Target’s customer information was settled for a $18m fine.
Uber, in 2018, was fined $148m for a major breach of driver and rider records. An unusually large fine for that time that was increased due to their efforts to cover up the breach.
The key takeaway is that, while some of those US fines are relatively low when compared to the GDPR offenders, that is changing. With the introduction of the California Consumer Privacy Act and other state initiatives, fines are being structured to follow the GDPR model. That is they will be calculated as a percentage of an organization’s revenue.
All of sudden that $18m that Target paid blows up to hundreds of millions of dollars.
Still want to take a wait and see approach?
Contact us to see how Appsian can help you address your data security controls.