How a Data-Breach Fine Can Multiply

With laws still uncertain, attorney generals' fines have become a crapshoot

Despite the dramatic escalation of data breaches, cybersecurity laws still haven’t emerged with any certainty. In their places, state attorney generals have been the acting sheriffs in town, instigating a spate of random precedents.

Most recently, New York State’s attorney general slapped Acer, the Taiwanese hardware and electronics company, with a $115,000 fine for a 2015-16 data breach that exposed 35,000 credit-card numbers.

Here’s the rub: Whenever a company settles with a state A.G.’s office, that agreement typically comes with “moving-forward” stipulations that are several times more costly than the fine itself. In Acer’s case, the company must implement several new protocols including employee cybersecurity training, regular risk reporting, and more security safeguards—not to mention creating positions to monitor these programs. All of the above comes at a premium.

Previously, New York State’s attorney general fined Trump Hotel Collection $50,000 for a data breach, with the settlement including the introduction of new security practices. Texas fined PayPal $175,000, plus tangible disclosure improvements. Massachusetts’ AG office sued the Beth Israel Deaconess Medical Center, a hospital, for compromised records, winning $100,000 in addition to stricter oversight of compliance. And Adobe settled $1 million with Connecticut’s AG office, the company agreeing to at least two annual audits.

“Forty-seven states have laws requiring entities to notify individuals of breaches involving personally identifiable information,” notes More startlingly, “Twenty-three of these states require entities to notify the attorney general of a breach.”

The bottom line is pretty clear: Since hacks cannot be stopped until they start, companies have to deploy security platforms that catch them quicker, when little-to-no-data has been compromised. Institutions also have no choice, but to take on burden of proof. Today, attorney-general responses for data-breach laws have unfolded on a case-by-case basis, so the need to for tangible, actionable security intelligence is even more paramount. Increasingly, these companies are learning that there’s better payoff in being tactically transparent.