Accountability for Corporate Breaches

14 11 2011

by Daniel Nordstrom

Should companies be forced to pay monetary damages if they have a security breach in their customer database? David Evans from the Information Commissioner’s Office in Europe thinks they should[1].

Big companies being hacked has become so common in today’s news that it isn’t a cause of public alarm, and is instead just another story on the nightly news. Earlier this year Sony’s network was hacked and has since been hacked over 10 times, among those hacked was Sony Europe[2]. Sony’s defense for itself was they were attacked by a professional criminal expert, but experts have said that Sony did not have the right things needed to protect their customer’s information. Due to the increase in companies having security breaches against their databases, Europe’s Information Commissioner’s Office said companies need to protect customer information or pay the price.

The head of the ICO, David Evans, recently said, “companies are not taking it [data protection] very seriously.”[1] Evans then went on to say that the ICO could and would start making companies pay fines up to 500,000 pounds. Up to this point the ICO has very seldom handed out fines, and has not used its powers. The ICO decided to change this policy because of a breach that happened last year at a company called Lush. Lush has a security breach because they had not implemented any basic security for their systems and 5,000 of their customers credit card numbers were now at risk because of it. The ICO only made the company admit their mistake, communicate to their customers, and add strong security measures to their systems. The ICO said that they will only implement the fines where they will make the biggest public impact. These fines raise the question though of who do we choose to fine, and by how much and often?

Looking at the first question, who do we choose to fine, I think that if a company is going to be processing customer transactions they need to follow the 5 basic steps that the Federal Trade Commission has[3]. The five steps are,(quoted from website)

  1. Take Stock – Know what personal information you have in your files and on your computer
  2. Scale Down – Keep only what you need for your business
  3. Lock It – Protect the information in your care
  4. Pitch It – Properly dispose of what you no longer need
  5. Plan Ahead – Create a plan to respond to security incidents

Quickly running through these steps we see that a company should protect and understand what information they have. They should then only keep information they need for as long as they need it, and if the information is ever compromised they need to have a plan for what to do. If a company has done these five things to a reasonable degree then I feel that the company should only be responsible to do what Lush did in the above paragraph and possibly face a small fine. If a company has not done each of the five steps then they should be subject to a much larger fine.

The second question was how much and how often should we fine these companies. The ICO has said that they will only fine companies where they feel it, “will make the biggest public impact.” The logic of the ICO is that if they only use the fines every once in a while then when they do the fines will get more attention. I feel that this isn’t what the ICO should be doing and they need to set clear guidelines as to when a company will and won’t be fined. If a company has shown a blatant disregard to customer information then the fine should be higher then a company who has implemented some information security. If the ICO only fines some companies then they could be opening themselves up to companies not wanting to pay the lawsuit’s based on other security breaches that have happened at other companies. By having a standard it helps get rid of “some” of the grey area.

When we compare this to the United States current Legislation called “the Personal Data Protection and Breach Accountability Act of 2011…” we see that the US is trying implement much stricter penalties[4]. The penalties can have a maximum value of $20,000,000. This legislation mandates that companies that store information for more than 10,000 people follow the five FTC steps. The department that would enforce the penalties would be the US Attorney General, and State Attorney Generals.

With Security breaches becoming more prevalent every day companies need to increase the amount of protection they are giving the information they have. If companies do not increase the protection on this data then they are taking a risk with their customers information and trust. If this information is compromised then they lose both.









Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: