Data Security: Weighing the Risks, Part 2

Toeing the line of data security regulations by using the bare minimum security available could be doubly risky for businesses. Not only does inadequate data security make breaches easier, but regulators are ramping up efforts to fine companies whose policies led to breaches. The Federal Trade Commission recently charged a company that used “admin” as the username and password for the default login on every router. Another company was fined $75,000 after a major consumer data breach when the Securities and Exchange Commission discovered the company had no firewall and had not encrypted sensitive consumer information.[1]

The list of major fines and penalties to companies for data breaches goes on and on, including a giant $25 million fine to AT&T for a consumer data leak.[2] Moreover, the myriad laws surrounding data security mean that those fines and penalties may be imposed by any number of agencies, including the FTB, the SEC, the FCC, and FINRA, and could be imposed under any number of statutes or regulations, including HIPAA/the HITECH Act, securities regulations, state laws and more. Being on top of the law is a must to remain in compliance and protect company resources in case of a breach.

Again, being prepared for a breach can help lessen the consequences. Companies must weigh the costs and benefits of different amounts of data security,[3] while being aware that doing the bare minimum could lead to fines or charges.

— By Julia Damron, Esq., Barnes Law

Julia Damron is an associate attorney with Barnes Law, licensed to practice law in California.

The opinions expressed are those of the author and do not necessarily reflect the views of the firm, its clients, or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] Hong, Nicole, “After a Data Breach, When Do the Feds Blame the Victim Companies?”, Wall Street Journal Law Blog, April 29, 2016, http://blogs.wsj.com/law/2016/04/29/are-the-feds-blaming-victims-in-cybercrime-cases/.

[2] Goldman, Jeff, “AT&T Hit With Record-Breaking $25 Million Data Breach Fine”, eSecurity Planet, April 10, 2015, http://www.esecurityplanet.com/network-security/att-hit-with-record-breaking-25-million-data-breach-fine.html. Websites like the DataLossDB blog track data breaches and statistics. See DataLossDB, https://blog.datalossdb.org/.

[3] See http://www.barneslawllp.com/data-security-weighing-risks/.