This week saw European regulators impose stiff fines on both Marriott (equivalent to $123 million USD) and British Airways (equivalent to $229 million USD) for violating Europe’s General Data Protection Regulation (GDPR). Although the fines are far from the four percent (4%) of the companies’ annual revenue that was possible under GDPR, they still signal an intent by European regulators to force companies to pay more attention to cybersecurity and data privacy.
Many companies in the US have paid only passing interest to these stories because they take place on foreign shores where the companies do not conduct regular business. However, even in the US things are starting to get more interesting. The Washington State Attorney General’s Office announced late last week that it had successfully entered into a consent decree with Premera Blue Cross, the largest health insurer in the Pacific Northwest, over a data breach it suffered. As the Attorney General’s office stated:
“Premera had an obligation to safeguard the privacy of millions of Washingtonians — and failed[.]”… “As a result, millions had their sensitive information exposed. Premera repeatedly ignored both its own employees and cybersecurity experts who warned millions of consumers’ sensitive health information was at risk.”
Premera will have to pay $10 million in fines (or roughly $1 per impacted individual), which is still well below the per-person fines imposed on Marriott ($4.10 per impacted EU citizen) and British Airways (almost $460 per person impacted). More significant than the fines, however, is the fact that Premera agreed to a multi-year program of regulatory oversight and audits, and that it agreed to make significant management changes to bring about a more security-focused culture throughout the organization.
The fines agreed to under the consent decree are also in addition to any damages assessed as part of a class action suit that is also pending. Those damages are reportedly approaching nearly $75 million USD.
Organization creating defensible cybersecurityTM programs can demonstrate that they have been taking risk-appropriate steps to protect the information with which they are entrusted. This helps organizations reduce, and even eliminate, costly fines and penalties. To find out more about how your organization can benefit from defensible cybersecurity, contact Fathom Cyber.