The fear of having your credit card details appear on the dark web may soon be a thing of the past — if a regulatory crackdown works.
The Federal Trade Commission’s decision to whack Equifax, the credit reporting agency, with a near $800m fine, then days later hit social media group Facebook with the largest civil penalty in the watchdog’s history, shows how serious the US regulator is now treating data violations.
The $5bn penalty handed out to Facebook was more than 200 times the biggest fine the commission issued to Google in 2012 for violating an FTC order and more than 20 times the largest data security penalty ever imposed.
On a similar front, the UK’s information commissioner slapped British Airways with a potential £187m fine and US hotel group Marriott International was collared for £99m, both for failing to secure customers’ details.
These record fines reveal that watchdogs across the globe are prepared to exercise their powers to punish companies with lax cyber defences.
“Regulators have typically moved at a slow pace but now they are flexing their muscles with regards to data privacy,” says Duncan Brown, security strategist of Emea at Forcepoint, a company specialising in cyber security.
And it’s prudent. In this digital age, our data surrounds us everywhere and more importantly, it’s valuable. It governs most facets of modern life from facilitating online bookings to dating and presenting recommendations on what TV shows to watch. But in the wrong hands, the consequences can be severe.
It’s no surprise, therefore, that the volume and scale of cyber attacks have risen in recent years. Of the largest attacks tracked since 2010, some of the biggest breaches have occurred in the past three years.
Yahoo remains the largest known corporate cyber attack to date. The internet company said in 2016 that a breach in 2013 had affected 1bn user accounts, only to revise up that number by 2bn nine months later. The news forced Verizon, which was in the process of buying Yahoo, to cut its offer price by $350m.
But corporate responsibility is not limited to the threat of company fines or financial loss. Businesses now need to reassess how they use your information to comply with data regulations, especially in Europe under GDPR.
Introduced last year, the European framework on data privacy gives greater rights to individuals over how their data are used.
“Theft of data are clearly a breach, but new laws go much further. There are now real risks concerning the processing of personal data and that could force many internet-related companies out of business, says Mr Brown.
As companies become more security conscious and regulators expand their powers, it is up to us as users to catch up. A recent report by the European Commission revealed that only one-in-five people knew which public authority was responsible for protecting their details.
