Responsiveness and Responsibility Are Considered in Assessing Data Breach Fines

About a year and a half ago I wrote a post titled Data Breach – Who’s Gonna Get it? where I made the point that, much like with Ford’s “bean counting” with the Pinto deaths back in the ’70s, companies that were aware of the risk of data breach but did not act responsibly were going to get it. The message, that is. While my post anticipated receiving that message from a jury, the point is no different when it comes to having a message sent by the Office of Civil Rights or some other governmental agency. When something bad happens, as it inevitably does, people instinctively want to know whether it was truly an unfortunate circumstance or whether it was because of willful neglect. That is, were they trying to “do right” or did they just not care? If it is the former, they will usually cut you some slack, if the later, you’re going to hang!

This point was confirmed in a recent interview with the Director of the Office of Civil Rights, Leon Rodriguez, who indicated that the OCR will take into consideration how a company responds to a data breach in deciding whether to assess monetary fines.

Rodriguez expects the coming year will see a higher number of data breaches being reported, partly as a precipitate of an increase in data analytics and risk assessment procedures, but adds that entities that respond decisively and responsibly to data breaches most likely won’t be the subject of monetary enforcement.

If you want to read more, check out the full article with Rodriguez’s interview: OCR looking for ‘high level of sensitivity’ in data breaches | Government Health IT.

Don’t let your company be “that company” — now is the time to be proactive in putting policies and procedures in place to help prevent a data breach or, should one occur, be prepared to respond in a responsible way so that your company doesn’t “get the message.” Give me a call or send me an email, I’ll be happy to talk with you about these issues and any others.

2 thoughts on “Responsiveness and Responsibility Are Considered in Assessing Data Breach Fines

  1. That’s an important message, Shawn. Decisive action after a breach will help with regulators. It will also help with judges and juries. But even better is preventing avoidable breaches before they occur, as you say. Companies will come out way ahead in the long run if they prevent breaches. Think about the $100M plus reserves that TJX had to set aside to cover settlements, defense costs, investigation costs, and remediation of its breach. The amount it could have spent to avoid the breach in the first place was minuscule in comparison.

    1. Stephen, thank you for your comment! You are exactly right, the whole point of all of this is to encourage companies to take this issue seriously and be proactive preventing the breaches from happening in the first place. Your example of TJX is spot on. In January it came to light that the cost of Global Payments, Inc.’s breach in April 2012 cost the company $94 MILLION!!! I am no financial genius but I would be willing to bet that for a fraction of that $94 million tab they could have implemented an information security program that would have prevented the breach.

This site uses Akismet to reduce spam. Learn how your comment data is processed.