Fined over data compliance: What should you do next?
By John Brandon
Introduction and first steps
In IT circles, you might hear about the need for better data protection in the enterprise, the challenges of security in an age of BYOD (bring your own device), and the costs of creating an airtight infrastructure that is all but impenetrable to erstwhile criminals.
Yet the reality is that large companies are fined for compliance violations on a regular basis. When it happens, there are issues with reputation management, legal ramifications, and notification that go beyond the simple task of paying the fees and plugging the security hole. In most cases, it is necessary to carry out a lengthy post-mortem after a data breach occurs.
Learn about the fine
Of course, the first step is to determine the amount of the fine, why it occurred, who was involved, and which compliance regulation you have to fix. There’s an initial shock over the penalties for a violation, but companies must determine why the fine occurred.
“In the UK, the information Commissioner’s Office can levy fines of up to £500,000 [around US$820,000, AU$925,000] for serious breaches of the Data Protection Act and Privacy and Electronic Communications Regulations,” says Ian Rowlands, the VP of product management at ASG Software Solutions, a software services company.
He further notes: “The ICO doesn’t play favourites! In July of this year the Chief Constable of the Kent Police force received notice (as the designated Data Controller) that his force was to be fined £100,000 [around US$165,000, AU$185,000] for failing to take care of items including ‘documents and video/audio tapes containing confidential and highly sensitive personal data about a significant number of individuals.'”
While that is just one example, large companies are fined for compliance violations for amounts ranging from a few thousand to much higher payments in the millions. In the US, violations for HIPAA (Health Insurance Portability and Accountability Act) are more common.
“The amount of fines will vary depending on the jurisdiction, the regulator and the severity of the incident (i.e. number of people affected, the risk of harm, etc.),” says Gant Redmon, the General Counsel at incident response vendor Co3 Systems. “They can be assessed on a per record basis and/or a per incident basis and can easily go into the millions of dollars.
“Fines could be assessed for things like not securing the data properly and for not disclosing the breach according to regulation. In the UK the organisation would most likely incur fines for not taking proper precautions to secure the data, which is in contravention of the Data Protection Act.”
Tom DeSot, the CIO at Digital Defense (DDI), a risk management company, says fines can occur for two primary reasons. One is when a corporation commits gross negligence over a compliance regulation. The second is when a company is fined previously for an infraction and doesn’t completely fix the problem.
Find the problem
The next steps are to find out how the breach occurred, who was responsible, and why your existing data protection policies and procedures did not work. That involves a post-mortem to examine your IT security infrastructure. The important point here is to be thorough enough to make sure the breach (and any related compliance fines) do not happen again.
“This is a great opportunity for integrated data management – to extend the data inventory (best described in a metadata repository), and make sure the process and communications metadata on any given data asset class is collected, managed and readily accessible,” says Rowlands.
“Fixing the problem is about taking corrective and preventative action but that is not all. Your organisation must guarantee that it not only corrects the problem but detects and protects itself from incidents in the future,” says Jimmy Lin, Vice President of Product Management and Corporate Development at The Network, a risk management company.
Legal issues and the media
Know the law
According to Rowlands, after the breach occurs and you learn about the violation and associated fines, the next step is one that involves your legal department. It’s important to know not just the violation fines and the data breach that occurred but how it impacts the business in general.
“Make sure you know the law,” he says. “It might be tempting to try to keep things quiet – or it might be just as tempting to want to inform everybody, in an attempt to look like the good guys. Before you do either of those things, make sure you know what the regulatory and contractual obligations are.
“It’s very likely that there will be regulators to notify. You may need to involve law enforcement. It’s probable that you have insurers to inform (you do have that policy in place, don’t you…?). When you know all these things, move as fast as possible to notify those who are involved or, if you can’t be certain, those who might be involved.”
Fix the problems
After analysing the legal ramifications, companies should then move into a remediation phase – fixing the problems. This requires a security evaluation to determine what caused the breach and a thorough process of fixing the data breach problems in accordance with the regulations.
“Chances are you will also be instructed [as part of the compliance violation notice] to take proper measures to avoid a recurrence of the issue,” says Redmon. “Demonstrate to the regulator that you’re taking it seriously.” Redmon adds that the fines can be higher if the same violation occurs again and the company did not take adequate measures to resolve the issue.
Work with the media
Another step to take once you have learned about a compliance fine is to notify the local media. Redmon says this is a matter of prioritisation. “You have to find out what laws have the shortest timeframes for reporting,” he says. “Make sure you have an internal Public Relations person or contract with an outside PR firm to help coordinate both internal and external communication. You’ll need help with explaining the incident to employees, preparing talking points in case they receive questions from the public, and also a point of contact for media inquiries.”
“Remind the world that the best security in the world still may be compromised,” he added. “Even a company using reasonable efforts to secure its data and environment is at risk. Communicate opening and plainly, but only after you have secured the facts and have a plan.
“Second, comply with disclosure requirements, demonstrating to regulators and the public that you’ve taken the matter seriously. Third, conduct a post-mortem review to determine what changes need to be made going forward in order to prevent a recurrence.”
Of course, companies should also work with employees and educating them on the compliance violation and why it occurred. Due diligence means making sure everyone at the company understands what happened and how the problem will be resolved.
Via: World of tech feed