Fines, Penalties and Violations! Oh My!

Global data protection regulations (new or updated) are being enforced aggressively, resulting in a tsunami of hefty fines and penalties handed out to violators.

Global data protection regulations (new or updated) are being enforced aggressively, resulting in a tsunami of hefty fines and penalties handed out to violators. The majority of these violations are a result of the failure to conduct regular risk assessments, which form an integral part of the ‘appropriate measures’ a business must take to ensure information security.

For example, in 2017, credit agency Equifax lost personal and financial information of nearly 150 million consumers due to an unpatched Apache Struts framework in one of its databases. Regulatory authorities found Equifax guilty of “failing to take reasonable steps to secure its network” and the credit agency was mandated to pay a hefty fine, valued at potentially $700 million, which it is still paying to the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB) and all 50 U.S. states.

If only Equifax had implemented an ongoing risk assessment strategy, it could have avoided the subsequent financial fallout and reputational damage. A single risk assessment would have helped Equifax uncover and fix the patch-related vulnerability promptly.

You must understand that regulatory agencies don’t expect you to cast a magic spell that can indefinitely protect your network from threats. They simply strive to hold you accountable for the steps you need to take to ensure consistent data protection and privacy. For example, the most enforced HIPAA audit requirement out of a total of 180, which has been cited in more than 50 percent of recent penalties, is accurate and thorough risk analysis.

Disasters Businesses Could Have Avoided

Here are a few instances where businesses were pulled up by the regulatory bodies and slapped with hefty fines for the lack of a risk assessment and management strategy. This will help you understand how risk assessment can go a long way towards building a resilient cybersecurity defense and demonstrating full compliance.

Marriott International Shelling Out Over €20 Million

Marriott International, Inc. was fined a whopping €20,450,000 in fines for failing to implement sufficient technical and organizational measures to ensure information security. The basis of the fine was Article 32 of the General Data Protection Regulation (GDPR), which clearly states the need for “a process that regularly tests, assesses and evaluates the effectiveness of technical and organizational measures to ensure the security of the processing.”

Capital One Fined $80 Million

In 2019, Capital One suffered a breach affecting 100 million people in the U.S. and 6 million in Canada. By exploiting a configuration vulnerability in the company’s web application firewall, an “outside individual” obtained personal information of Capital One’s credit card customers as well as people who had applied for credit cards. The Office of the Comptroller of the Currency fined Capital One $80 million for its “failure to establish effective risk assessment processes” when migrating operations to a public cloud environment.

Premera Blue Cross Coughing Up $6.85 Million

Washington-based health insurance company, Premera Blue Cross, was fined $6.85 million for HIPAA violations for a breach that affected over 10.4 million people. While handing Premera the second-largest HIPAA fine on record, the Office for Civil Rights (OCR) cited “system non-compliance” with HIPAA requirements. The OCR concluded that Premera had failed to conduct a risk analysis, implement risk management, or put audit controls in place.

It goes without saying that if all three companies paid heed to expert compliance advice and implemented a meticulous risk assessment and management strategy, their balance sheets would have looked significantly different.

Deploy Risk Assessment and Avoid a Financial Setback

Several data regulations have defined the importance of risk assessment in ensuring data privacy and protection. For example, the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) clearly mandates covered entities and its business associates to conduct a risk assessment. By merely implementing this cybersecurity best practice – continuous risk assessment – you will be able to significantly reduce the likelihood of a security breach and a compliance audit; both of which can lead to a tremendous loss of revenue. Think about all the financial implications you could avoid. That should convince you.

 

Seek Expert Help for Implementation

Implementing a comprehensive risk assessment and information security strategy as part of routine operational procedures is no easy feat. You need specialized tools and experienced and dedicated support to ensure you get thorough and accurate risk assessments regularly to achieve and maintain compliance obligations. Compliance is complicated and stressful, which is why partnering with an IT and Data Security specialist can help you simplify the risk assessment process and take the chaos and confusion out of compliance.

Accomplish More With UDT

Get your custom solution in cybersecurity, lifecycle management, digital transformation and managed IT services. Connect with our team today.

More to explore

Lost & Stolen Devices are a Serious Data Security Threat—Here’s Why

Since the pandemic, remote and hybrid work has become the norm. While mobile devices and remote workstations have empowered great flexibility, it has also led to an increase in data security problems due to lost, misplaced, or stolen devices. Find out how remote and hybrid setups are contributing to this problem and how to protect yourself and your organization.​

Smishing Attacks are on the Rise—Here’s How To Keep Your Data Safe

Smishing attacks are on the rise, posing a significant threat to data security. Originating from a blend of SMS and Phishing, these attacks have seen a drastic increase since 2020. The widespread use of smishing attacks has persisted, with a lack of awareness being a major issue. Many view these as simple spam messages, unaware of the danger they pose. This blog aims to raise awareness about smishing and provide actionable insights to protect yourself and your organization.

5 Strategic Ways to Master Your IT Budget

Enhance finance IT efficiency with UDT and Cisco. Master IT budget planning, security, and innovation in the competitive industry.

IT Compliance Training for the Finance Industry (Get Your Resource Kit Now)

Download UDT’s IT Compliance Kit for financial services – empowering IT leaders to educate staff on compliance, data protection, and security.

Trend Alert! An Insider’s Look at the Latest IT Solutions for the Finance Industry

Explore the latest IT trends in finance and how UDT’s cutting-edge cybersecurity and managed IT services redefine security for the digital age.

Streamlining IT Operations in the Finance Industry—Top 10 Strategies for IT Leaders

Unleash the power of UDT and Cisco solutions with top 10 strategies to streamline IT operations for finance—enhancing security, compliance, and efficiency.

Experiencing a security breach?

Get immediate assistance from our security operations center! Take the following recommended actions NOW while we get on the case:

RECOMMENDED IMMEDIATE NEXT ACTIONS

  1. Determine which systems were impacted and immediately isolate them. Take the network offline at the switch level or physically unplug the systems from the wired or wireless network.
  2. Immediately take backups offline to preserve them. Scan backups with anti-virus and malware tools to ensure they’re not infected
  3. Initiate an immediate password reset on affected user accounts with new passwords that are no less than 14 characters in length. Do this for Senior Management accounts as well.

Just one more step

Please fill out the following form,