Global data protection regulations (GDPR) are high on the radar of international lawyers as violators as aggressive enforcement against violators has resulted in a tsunami of hefty fines and penalties. Interestingly, most of these violations stem from a company’s failure to perform regular risk assessments. These risk assessments are an integral part of the defined ‘appropriate measures’ any business must enact when dealing with sensitive information.
And regulatory authorities take this failure seriously. For example, Equifax credit agency lost personal and financial information of nearly 150 million consumers in 2017 due to an unpatched Apache Struts framework in one of its databases, causing them to be guilty of “failing to take reasonable steps to secure its network”. The result? Equifax was required to pay up to $700 million, a fine it is still paying to the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB) and all 50 U.S. states.
And yet, the situation — with its associated reputational damage and financial fallout — could have been entirely avoided if Equifax had simply implemented an ongoing risk assessment strategy. Just one risk assessment would have allowed the company to both uncover and fix the patch-related vulnerability.
While regulatory agencies do understand that networks are, by their nature, prone to security issues, they do hold companies responsible for taking steps to ensure consistent data protection and privacy. For example, out of 180 HIPAA audit requirements, the one that is cited in over half of all penalty situations is an accurate and thorough risk analysis.
GDPR Disasters That Could Have Been Avoided
If you are still thinking you can get away with a lax risk assessment and management strategy — think again. These companies relaxed their compliance and met with hefty fines and penalties. Hopefully, these examples can help you understand the importance of risk assessment in compliance and in creating a resilient cybersecurity defense.
Capital One Shelling Out $80 Million
The Capital One breach of 2019 affected 100 million people in the U.S. and 6 million in Canada. An “outside individual” obtained personal information of Capital One’s credit card customers as well as credit card applicants through a configuration vulnerability in the company’s web application firewall. The Office of the Comptroller of the Currency fined Capital One $80 million for its “failure to establish effective risk assessment processes” when migrating operations to a public cloud environment.
Marriott International Fined Over $23.9 Million
Marriott International, Inc. failed to implement sufficient technical and organizational measures to ensure information security. The result? A whopping $23.9 million, the basis of which was Article 32 of the General Data Protection Regulation (GDPR). This article clearly states the need for “a process that regularly tests, assesses and evaluates the effectiveness of technical and organizational measures to ensure the security of the processing.”
Premera Blue Cross Penalized $6.85 Million
Premera Blue Cross, a Washington-based health insurance company, was fined a whopping $6.85 million for HIPAA violations resulting from a breach affecting more than 10.4 million people. The Office for Civil Rights (OCR) cited “system non-compliance” with HIPAA requirements, concluding that Premera failed to either conduct a risk analysis, implement risk management, or put audit controls in place. This resulted in Premera receiving the second-largest HIPAA fine on record.
If any of these three companies had listened to expert compliance advice and simply followed a meticulous risk assessment and management strategy, they could have avoided significant penalties, fines, and serious damage to their reputations.
Perry proTECH — Helping You Protect Your Most Important Asset: Information
At Perry proTECH, we understand the difficulties faced by today’s companies as they try to respond to evolving cyberthreats and keep abreast of current regulations governing information management and data privacy.
That’s why we offer the knowledge and expertise of a team of Network Management and Security specialists to protect your mission-critical data and ensure your company is in compliance with the appropriate data privacy regulations.
With the highest-level security solutions in the industry, our managed network services allow you to secure all areas of your company’s network — from next-gen firewall protection to endpoint security that ensures your data protection extends to all devices for secure mobility.
Don’t make an expensive mistake with your data. Contact a Perry proTECH consultant and learn how our Network Management services can help protect your company’s data and keep you in compliance with data privacy regulations.