Are regulatory and security breach fines protecting the consumer, or beginning to unduly drive security policy? As penalties begin to be levied against organizations who have been attacked, or employees violated data policy, some experts now question whether the government is penalizing one of the victims in a crime, rather than helping to mitigate the risk of identity theft -- as the laws were first intended.
Consider the move by the Massachusetts Attorney General against restaurant chain owner the Briar Group LLC. A few weeks ago the attorney general announced that it reached an agreement with Briar Group to pay $110,000 in penalties. The settlement stems from allegations that the restaurant chain didn't adequately protect customer payment data after a malicious application was installed on its systems. The malware was on its network from April, 2009 through December, 2009. The allegations against the chain say that the group didn't change employee login information and continued to take credit and debit cards after it discovered the breach, this statement from the Massachusetts Attorney General says. The compliant also alleges that the chain failed to properly secure its remote access utilities and wireless network.
Certainly not security practices to applaud. However, experts contend -- because of the lousy inherent insecure state of applications and IT systems -- enterprises can have all of the right security technologies, policies, and procedures in place and still end up on the wrong end of a state action. "These database breach notification laws were not intended to set standards of care," says Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation. "They were initially intended to help consumers, who had their information breached, to avoid identity theft," he says
"The fact is that you can do everything well, and be breached; or you can do nothing and suffer no recognizable breach," he adds.
Mike Wiltermood, chief executive officer at Enloe Medical Center, based in Chico, California, might agree. Enloe decided to fight a fine it received last year after it reported that the center had discovered that on several different instances the medical records of one patient were inappropriately accessed. The medical center says it discovered the violations through its own monitoring, investigation, and self-reporting of the incident to California authorities. The result? The California Department of Public Health (CDPH) opted to fine Enloe anyway.
The center didn't think the state's actions were justified.
"Enloe Medical Center goes above and beyond the requirements of the law to protect patient privacy, which is the reason we were able to detect the breach," said Wiltermood a statement. "From our perspective, Enloe Medical Center's early detection of the patient information breach, along with our long-standing safeguards and privacy processes, were not taken into consideration as the law clearly allows when CDPH chose to apply the $130,000 administrative penalty," Wiltermood said.
"If the goal of the regulators here is to increase breach disclosures they failed, and if the goal is to increase security they failed," says Pete Lindstrom, research director at Spire Security. "The lesson to others is to hide their incidents," he says
"When a store gets robbed, or employees steal from the store, the authorities don't fine the retailer," adds Rasch.
This story, "Data breach fines can risk more harm than good, experts say" was originally published by CSO.