Cost of data privacy breach may not be enough

Equifax admitted during its Q4 2017 earnings call in March that more people, than previously disclosed, had their personally identifiable information -- names and partial drivers' license information -- exposed in the company's historic data breach. And there may be more, the consumer credit company told regulators. With 147.9 million consumers affected, and counting, what will the data privacy breach cost Equifax?

That same month, Facebook came under fire for mishandling the data privacy of 50 million users. Roughly 270,000 Facebook users had downloaded a psychology professor’s app, and their data and that of their “friends” was allegedly harvested in 2016 by political data firm, Cambridge Analytica.

Unlike Americans, citizens and residents of the European Union will soon have strengthened data privacy breach protection when the EU's General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. Instead of a credit freeze and lifetime of credit monitoring, individuals in the European Union can look to data authorities to enforce 72-hour breach notifications and impose hefty fines for data privacy breaches.

Whose data will the GDPR requirements protect? The data of residents -- regardless of their nationality -- of the European Union's 28 member states. "They can be in transit, cross border [or in the United States] on tourist activities. As long the person resides in those 28 states, the regulation applies," said Michelle Robles, principal consultant at Dimension Data.

Robles said she advises companies to focus on data principles that apply to the privacy-by-design requirements of Article 25, data protection by design and by default, which "hits at the heart of GDPR." Article 25 requires organizations to implement mechanisms to protect data subjects' rights -- security is just one of those controls. "Most organizations in America have had a lot of challenges around consent and privacy by design," Robles said. If the data subject wants their data forgotten or transported, the organization has to comply and provide transparency into that process, essentially an audit trail. How do companies electronically transfer that information, and where does their responsibility to the data subject end? Organizations struggle with those challenges and more as they begin to address the 99 articles outlined in the GDPR requirements.

The retail and tourism industries have been proactive with their GDPR requirements, according to Robles. "They understand the gravity of it, and they have hired companies to help them with the complexities." Smaller and midsize organizations are struggling with the interpretation and overall effort it takes to meet the GDPR's objectives because it's so expansive. The 72-hour data privacy breach notification of data authorities is another hurdle that may require "heavy lifting" to avoid insurmountable data breach cost. Companies need to work on their breach notification process and test it periodically.

While the EU is taking major steps to protect residents from a data privacy breach, little has happened in the United States. When the Equifax breach was revealed, many people thought it was a tipping point. Surely, the credit ratings company's exposure of millions of consumers' personally identifiable information would spark legislation and criminal proceedings that would serve as a warning to other companies. That hasn't happened. In March, Equifax beat analysts' Q4 2017 profit expectations. Costs associated with the "cybersecurity incident" for the year totaled $164 million, with $50 million offset by insurance. A few days before the earnings call, Equifax hired "permanent" CISO Jamil Farshchi, who previously worked at Home Depot, Time Warner, Visa and NASA to replace interim CISO Russ Ayres. Company officials project $275 million in gross costs associated with the cybersecurity incident in 2018, offset by $75 million in insurance. Facebook may pay a steeper price.