Weighing the risk of data breach noncompliance

2021 saw a record number of data breaches, despite 34% of organizations under-reporting them. What does this tell us? Data breach frequency is quickly increasing, and their inevitability has organizations in fear of the consequences — from reputational damage to regulatory penalties, both of which end up being significant financial burdens. In turn, this fear is driving organizations to commit a separate, even more costly noncompliance violation: failing to report their breaches.

What’s propelling data breaches?

Sensitive data is so highly regulated because of its value and the damage that can be done if it were to fall into the wrong hands. It’s this value that’s spurring more and more sophisticated cyberattacks on less secure targets, such as remote work environments and endpoint devices. There’s also a lack of awareness and understanding for reporting breaches at the employee-level. They may not know who to report the breach to, what was stolen, or that they even need to report it in the first place.

One of the biggest factors currently driving breach rates up, however, are security trade-offs, whereby organizations prioritize innovation and getting products on the market fast, spending less time and money on security tactics, and ultimately opening themselves up to compromise.

How intention factors in to data breach noncompliance penalties

When regulatory agencies review a breach to determine a fine for the responsible organization, they look to see whether security was of the utmost priority, whether intentional disregard or negligence were responsible. Were security measures in place? More specifically, did these measures offer the proper amount of protection needed for the data’s level of sensitivity? With trade-offs, the answers to these questions are often a resounding “no,” and this intent to skimp on security ends up leading to an even steeper fine than if the organization had done all it could security-wise to prevent a breach.

Thus, rather than reporting a breach — a key regulatory requirement — and incurring such a financial blow, organizations are opting for the less expensive but more risky route of containing a breach themselves, remaining tight-lipped about it, and hoping word never gets back to the regulatory agency or agencies they’re subject to. This of course is it’s own intentional violation of compliance, driving any subsequent fines up.

Why not report a data breach?

With so much at stake, why not just report? Well, with data breach frequency increasing, even the smallest compromises can rack up quite the bill if they occur multiple times per year. Whether or not you did everything right from a security perspective, there will always be a fine.

Some organizations, after detecting that a breach has occurred, may try to contain it internally to avoid the commotion and reputational hit that result from publicly reporting a breach. But even a delay in reporting can incur a noncompliance violation. Uber spent a pretty penny trying to internally quell a breach, hiding evidence it happened and even paying a ransom to destroy the compromised data, ensuring it wouldn’t be misused and expose the breach. That $100,000 ransom and other containment costs were nothing, however, compared to the $148 million Uber was fined a year later for failing to report the breach.

By not reporting a breach, there’s a chance of not being caught and paying little to nothing for a breach. For organizations who take the risk of neglecting to report, that slim chance outweighs the fines one would be guaranteed to pay after reporting, as well as the even steeper penalties of being caught for not reporting.

Penalties for not reporting a data breach incident

Unfortunately, the data detailing how many breaches go under-reported inherently proves how hard it is to evade being caught, and as previously mentioned, the penalties for not reporting a data breach are far more severe than they would be if an incident was reported.

Take the GDPR, which governs all organizations processing personally identifiable information (PII) that belongs to European Union citizens. This law requires a breach to be reported within 72 hours of it being discovered. Failing to report in this timeframe, can result in fines in the millions. Because intention weighs heavily on how a fine is determined, not reporting automatically means a more significant one.

While the U.S. does not currently have a federal regulation for reporting data breaches, they exist at the state level, with the most notable being California’s CCPA and its amended, expanded follow-up, the CPRA. Both are slightly more relaxed than the GDPR in terms of the timeframe you have to report a breach — mainly to account for delays caused by a potential law enforcement investigation — but the general rule is to report as soon as possible. Not reporting in a timely manner, or ever, can result in penalties of up to $3,000 per violation because there was an intent to commit the violation.

Be prepared for a data breach with Spirion

Curious to know what a data breach could cost your organization? Try our breach calculator tool now to understand what’s at stake. Just remember, that cost accounts for timely incident reporting — failure to report will result in a much higher fine.

With Spirion’s suite of security solutions, you can feel confident that you’re doing your best to protect against a breach with accurate data discovery, classification, and remediation, as well as ongoing monitoring. When a breach occurs, you’re able to detect and contain it quickly, and reporting its events in detail to all relevant parties, from investors and stakeholders to regulatory agencies and victims, can be done in a timely manner, which ultimately works to reduce the fine your organization is responsible for.