Sizable fines assessed for data breaches in 2019 suggest that regulators are getting more serious about organizations that don’t properly protect consumer data. In the UK, British Airways was hit with a record $230 million penalty, followed shortly by a $124 million fine for Marriott, while in the US Equifax agreed to pay a minimum of $575 million for its 2017 breach. Uber’s poor handling of its 2016 breach cost it close to $150 million. Weakly protected and heavily regulated health data cost medical facilities big that year, too, resulting in the US Department of Health and Human Services collecting increasingly large fines. Overall, hacks and data thefts have cost the following companies a total of nearly $1.23 billion and counting.
Target: $18.5 million
In 2017, retail giant Target agreed to a $18.5 million settlement with 47 states and the District of Columbia relating to a breach in 2013 in which some 40 million credit and debit card accounts were stolen during the post-thanksgiving Black Friday sales rush. Later investigations found names, addresses, phone numbers and email addresses for up to 70 million individuals were also taken. Total costs associated with the breach reach over $200 million.
Yahoo: $85 million
In 2013, Yahoo suffered a massive security breach that affected its entire database, impacting about 3 billion accounts — almost the entire population of the web. The company, however, didn’t disclose this information for three years.
In April 2018, the U.S. Securities and Exchange Commission (SEC) fined the company $35 million for failing to disclose the breach. In September, Yahoo’s new owner Altaba admitted that it had settled a class action lawsuit resulting from the breach to the tune of $50 million. A total bill of $85 million for 3 billion accounts works out to around $36 per record.
Marriott International: $124 million
GDPR fines are like buses: You wait forever for one, and then two show up at the same time. Just days after a record fine for British Airways, the ICO issued a second massive fine over a data breach. Marriott International was fined £99 million [~$124 million] after payment information, names, addresses, phone numbers, email addresses and passport numbers of up to 500 million customers were compromised. The source of the breach was Marriott’s Starwood subsidiary; attackers were thought to be on the Starwood network for up to four years and some three after it was bought by Marriott in 2015. According to the ICO, Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.” Marriott CEO Arne Sorenson said the company was “disappointed” with the fine and plans to contest the penalty. The hotel chain was also fined 1.5 million Lira (~$265,000) by the Turkish data protection authority — not under the GDPR legislation — for the beach, highlighting how one breach can result in multiple fines globally.
Uber: $148 million
In 2016, ride-hailing app Uber had 600,000 driver and 57 million user accounts breached. Instead of reporting the incident, the company paid the perpetrator $100,000 to keep the hack under wraps. Those actions, however, cost the company dearly. The company was fined $148 million in 2018 — the biggest data-breach fine in history at the time — for violation of state data breach notification laws.
Equifax: (At least) $575 Million
2017 saw credit agency Equifax lose the personal and financial information of nearly 150 million people, due to an unpatched Apache Struts framework in one of its databases. The company had failed to fix a critical vulnerability months after a patch had been issued, and then failed to inform the public of the breach for weeks after it been discovered. In July 2019, Equifax agreed to pay $575 million — potentially rising to $700 million — in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories over the company’s “failure to take reasonable steps to secure its network.”
$300 million of that will go to a fund providing affected consumers with credit monitoring services (another $125 million will be added if the initial payment is not enough to compensate consumers), $175 million will go to 48 states, the District of Columbia and Puerto Rico, and $100 million will go to the CFPB.
How Can I Stop My Accounting or CPA Firm From Being Hacked?
A cybersecurity breach can’t be predicted; it can only be prevented. Therefore, the key to protecting your firm is proactively designing a robust internal security plan, as well as a strong incident response plan in case a breach does occur.
It’s also crucial to ensure that your client data is not being shared across unsecured email servers and websites. Instead, make sure you are using encrypted email or a secure client portal to save all private information. Email services such as Outlook and Gmail are not encrypted by default, they use the same public servers as everyone else. An encrypted client portal is almost impossible to hack and will keep your firm safe from liability. ImagineTime’s client portal software for accountants makes it easy for clients to submit their own private data and communicate with your firm in a secure, recorded environment. Our client portal for CPAs uses 256-bit bank-level encryption to ensure client data is protected at all times.
To download a free demo or learn more about our practice management software, click here!