fix

Data Breach Fines: What You Need to Know

Learn about the compliance regulatory bodies that enforce fines for data breaches, factors that determine fines, and typical fine amounts.

By
Cate Callegari
12 mins min read

TL;DR:

  • Regulatory bodies like PIPEDA, GDPR, CCPA, HIPAA, FTC, and PCI DSS enforce fines for data breaches.
  • Factors like the severity of the breach, the number of individuals affected, response efforts, and compliance history determine fines.
  • Typical fines range from $100,000 CAD to 4% of global revenue or $20 million.
  • Mitigation strategies include compliance frameworks, secure coding training, penetration testing, and incident response plans.
  • Proactive measures can help organizations avoid data breaches and associated fines.

As data breaches have become an increasingly common occurrence in today's digital world, regulatory bodies are taking a more proactive approach to enforce compliance with data protection regulations. In this blog, we will explore the regulatory bodies that enforce data breach fines, the factors that determine the fine or penalty for a data breach, the typical range of fines for data breaches from regulatory bodies, and discuss the mitigation tactics to avoid these hefty fines and penalties. How can organizations truly quantify the value of their customers' trust and loyalty? Are they willing to risk losing it by ignoring the potential financial and reputational consequences of data breaches, including regulatory penalties and fines?

Regulatory bodies that enforce data breach fines

Each regulatory body has specific jurisdiction and authority to enforce data breach fines. Several regulatory bodies enforce data breach fines, including:

Personal Information Protection and Electronic Documents Act (PIPEDA): PIPEDA is a broad legislative act, and nearly every organization that does business in Canada must comply with it. There are a few organizations that are not bound by PIPEDA regulations, but it’s now a standard measure to evaluate a business. PIPEDA helps consumers determine whether they can trust an organization with their personal data.

General Data Protection Regulation (GDPR): The GDPR is a regulation in the European Union that applies to any organization that processes the personal data of EU residents. It imposes fines for non-compliance with various provisions of the regulation, including data breach notification requirements.

GDPR applies to any organization that processes the personal data of EU residents, regardless of where the organization is located.

California Consumer Privacy Act (CCPA): The CCPA is a law that provides California residents with specific rights over their personal information, including the right to know what personal information is being collected and the right to have it deleted. The CCPA also imposes fines for non-compliance, including data breaches.

The CCPA applies to businesses that collect the personal information of California residents and meet certain criteria, such as annual gross revenue of $25 million or more.

Health Insurance Portability and Accountability Act (HIPAA): HIPAA is a law that sets standards for the protection of sensitive patient health information. It imposes fines for non-compliance with various provisions of the law, including data breach notification requirements.

HIPAA applies to covered entities and business associates that handle protected health information (PHI).

Federal Trade Commission (FTC): The FTC can impose fines for data breaches under Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices. The FTC has brought legal actions against organizations that have violated consumers’ privacy rights, or misled them by failing to maintain security for sensitive consumer information, or caused substantial consumer injury.

The Payment Card Industry Data Security Standard (PCI DSS): is a set of security standards developed by Visa, MasterCard, JCB, Discover, and American Express in 2004. The Security Program, managed by the Payment Card Industry Security Standards Council (PCI SSC), is designed to protect online and offline credit and debit card transactions from data theft and fraud. Although PCI SSC does not have legal authority, any company performing credit or debit card transactions is expected to comply with the PCI DSS standard.

ISO 27001 vs SOC 2 Penalties: Compliance with ISO 27001 and SOC 2 is not legally mandated in the United States, so there are no penalties for noncompliance. However, being able to show your organization complies with one of these standards could help reduce fines and penalties in the event of a data breach.

PCI DSS, ISO 27001, and SOC 2 do not have unique legal jurisdiction or authority, but a violation of these regulations can result in fines, or have a direct impact on the amount of fines and penalties paid.

Factors that determine the fine or penalty for a data breach

When a data breach occurs, regulatory bodies consider several factors when determining the fine. These factors include the severity of the breach, the number of individuals affected by the breach, the response and remediation efforts by the company, the company's compliance history, and other factors such as intentional misconduct or negligence.

The severity of the breach

The severity of the breach is a critical factor in determining the fine imposed by regulatory bodies. Breaches that result in the loss of sensitive data such as financial information, social security numbers, and medical records are typically considered more severe than breaches that result in the loss of less sensitive data. Chinese firm Didi Global was fined 8.026 billion yuan ($1.19 billion) by the Cyberspace Administration of China after the company violated the nations’ network security law, data security law, and personal information protection law.

Number of individuals affected by the breach

The number of individuals affected by the breach is another significant factor in determining the fine. The more individuals impacted, the higher the potential fine. In 2021, for example, the Ireland Data Protection Commission (DPC) fined WhatsApp €255 million for failing to adequately inform EU citizens about how their data was being used, affecting over 2 million people.

Response and remediation efforts

Regulatory bodies also consider the response and remediation efforts made by the company following the breach. Companies that take swift action to contain the breach and notify affected individuals are typically viewed more favourably than those that delay or attempt to cover up the breach. In 2016, Uber had 600,000 drivers and 57 million user accounts breached. Instead of reporting the incident, the company paid the perpetrator $100,000 to keep the data breach from going public. Those actions cost the company in a big way. The company was fined $148 million in 2018 — the biggest data-breach fine in history at the time — for violation of state data breach notification laws.

Compliance history

A company's compliance history is also taken into account when determining the fine. Companies with a history of compliance issues or previous data breaches are more likely to receive higher fines. In January 2022, investment bank and financial services giant Morgan Stanley agreed to pay $60 million to settle a legal claim relating to its data security. The agreement was filed against the company in July 2020 regarding two security breaches that compromised the personal data of approximately 15 million customers. According to claimants, Morgan Stanley failed to protect the personally identifiable information (PII) of current and former clients.

It is alleged that the data center equipment decommissioned by Morgan Stanley in 2016 and 2019 was not wiped clean and a software flaw meant that unencrypted and sensitive data was visible to whoever purchased the equipment.

The proposed claim settlement comes more than a year after Morgan Stanley was handed a separate $60 million civil penalty by the Office of the Comptroller of the Currency (OCC) in relation to the same incidents, totalling 120 million total in settlement claims from 2 security breaches.

The typical range of fines for data breaches

There have been several high-profile data breaches in recent years that have resulted in significant fines from regulatory bodies. For example, British Airways was fined £20 million ($26 million) by the UK's Information Commissioner's Office (ICO) for a data breach that exposed the personal information of more than 400,000 customers. Marriott International was fined $23.8 million by the GDPR for a data breach that exposed the personal information of 339 million guests. These fines demonstrate the seriousness with which regulatory bodies take data breaches and the importance of companies taking steps to prevent them.

image

Here is an overview of the fines imposed by various regulatory bodies:

PIPEDA

At this time, businesses and organizations can be fined up to $100,000 CAD for each violation. While the fine might not be invoked for every PIPEDA violation, OPC is aggressive in its investigations.

GDPR

The GDPR, which applies to organizations that process personal data of EU citizens, imposes fines of up to 4% of a company's global annual revenue or €20 million, whichever is greater.

WhatsApp Ireland faced a substantial €225 million fine for breaching transparency obligations under the General Data Protection Regulation (GDPR). This penalty highlighted the importance of clear and comprehensive data processing information for users. Simultaneously, Amazon received an even larger fine of $877 million for GDPR violations. These significant fines demonstrate the European Union's commitment to enforcing data protection laws and holding tech giants accountable for their data handling practices. The magnitude of these penalties serves as a stark warning to companies operating in the EU, emphasizing the need for strict compliance with GDPR requirements, particularly in areas of transparency and user consent. Such hefty fines also underscore the financial risks associated with data protection breaches in the digital age.

CCPA

The CCPA, which applies to businesses that collect personal data of California residents, allows for fines of up to $7,500 per violation.

HIPAA

HIPAA, which regulates the handling of PHI, can impose fines of up to $1.5 million per year for violations.

FTC

The FTC may bring civil actions for civil monetary penalties of up to USD 40,000 per violation of the FTC Act or COPPA. Each day that non-compliance continues is considered a separate "violation" for purposes of the law. In 2019, for example, the FTC fined Facebook $5 billion for its role in the Cambridge Analytica scandal.

PCI DSS

The payment brands may fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.

Mitigating the risk of data breaches and associated fines

Now that we've explored the factors that determine the fine for a data breach and the typical range of fines imposed by regulatory bodies, it's essential to discuss strategies for mitigating the risk of data breaches and associated fines.

Strategies for preventing data breaches

Follow compliance frameworks

This answer might seem obvious, and easy to accomplish, but that is not always the case. Acquiring and maintaining compliance standards is easier said than done. Compliance requires a lot of time, effort, costs and resources that are both direct and indirect. It is important to thoroughly understand the compliance requirements and create action plans and processes to fulfill and maintain the requirements and standards outlined by the compliance framework. By creating a plan and process alongside resource budgeting, you should be able to manage and maintain compliance requirements for your organization.

Train your developers on secure coding best practices

Training your development team to practice secure coding standards is another great way to prevent data breaches. The U.S. Department of Homeland Security (DHS) published a software assurance report that estimates up to 90 percent of security incidents stem from exploits against defective code and vulnerable software. By training your developers with secure coding best practices, you eliminate a large likelihood of risk associated with defective code. Where is the best place to learn secure coding practices? From the ones who exploit those vulnerabilities, penetration testers. Software Secured hosts a variety of secure code training courses for your development team. Explore our courses for more information.

Penetration testing

One of the best ways to prevent data breaches is by conducting quarterly or semi-annual penetration testing. Penetration testing involves simulating a real-world attack on a company's systems to identify vulnerabilities that could be exploited by attackers. By conducting continuous penetration testing, organizations can identify and address vulnerabilities before they are exploited by attackers. Finding, addressing, and remediating vulnerabilities before they can be exploited is the most effective way to avoid data breaches and the fines/penalties associated with data breaches.

Incident response plans

In addition to penetration testing, organizations must also have an incident response plan in place to mitigate the impact of a breach if one occurs. A good incident response plan should outline the steps that an organization should take in the event of a data breach, including how to contain the breach, notify affected individuals, and remediate any vulnerabilities. Without an appropriate incident response plan, you jeopardize your relationship with your customers and can face larger regulatory fines.

For example, LastPass, which has more than 30 million registered users, initially sought to play down the extent of the breach when it took place in August 2022. Confirming a ‘security incident’ had taken place, it said its products were “operating normally” and that the company did not “recommend any action on behalf of users”. However, the extent of the breach was revealed four months later, with data on 25 million LastPass customers potentially exposed. The company’s actions could put it in breach of US legislation the Federal Trade Commission Act, although the figure sought in damages has not been specified.


Conclusion

By understanding the factors that determine the fine for a data breach, the typical range of fines imposed by regulatory bodies, and strategies for mitigating the risk of data breaches, organizations can take proactive steps to protect themselves and their customers. Conducting regular penetration testing, implementing an incident response plan, and ensuring compliance with relevant regulations can all help mitigate the risk of a data breach and associated fines. Software Secured’s Penetration Testing as a Service (PTaaS) goes beyond ensuring compliance, our PTaaS ensure a continuous test for your applications to proactively avoid data breaches. Wondering how often to audit your organization to ensure compliance with relevant regulations? Book a meeting with our team!

About the author

Cate Callegari

Get security insights straight to your inbox

Additional resources

Here to get you started

Say goodbye to 300+ page penetration test reports

Providing the quality of the biggest names in security without the price tag and complications.

Book a 30 min consultation

Manual penetration testing

Full time Canadian hackers

Remediation support

CTA background