There’s been a growing clamor both here and abroad to have entities who have had data breaches fined. And while the ICO has been promising that such fines are “imminent” and will be announced before the end of this month, I find myself wondering why we, the public, are becoming increasingly strident in our call for fines.
Is the desire to see Google fined for its wi-fi mess with Street View or Facebook fined for its numerous privacy problems a matter of schadenfreude because we enjoy seeing others suffer, or is it that we want to see the mighty fall — or is it that we want some small measure of revenge or justice for them having breached or compromised our privacy? Or is it that we’re angry at what appears to be a double standard: that if we make huge mistakes or violate laws, we pay a price, and these companies should, too?
Mulling some possible explanations over, I came up with another thought. As every parent quickly learns, if you keep threatening consequences but never follow through, your threats become empty and meaningless. And maybe that’s what some of this is all about. For a long time, entities have been given dire warnings about what might be, but if it never comes to pass, the warnings lose their effectiveness.
Even though the UK’s ICO, our FTC, and our HHS/OCR have the authority to impose fines, only the FTC has done so to date. Despite the tens of thousands of complaints it has received, HHS has not imposed a single fine for violation of HIPAA or HITECH. It has permitted three resolution agreements, but has not used its power to fine effectively as a deterrent. And so we see some state attorneys general pursuing lawsuits over data breaches while the federal agencies who could be imposing fines are not doing so. A few well-publicized fines would give IT professionals and lawyers the ammo they need to go back to their clients and say, “Look, if you don’t do this right, you could be the next big fine.”
But then again, maybe it all boils down to the public wanting to know that our governments are serious about addressing security and privacy breaches. And maybe the increasingly strident demands for fines is really our way of saying to our respective governments, “If you want us to believe you’re really taking this seriously, then make them put their money where your mouth is.”
What do you think? Should there be more federal fines over breaches or are such fines more likely to backfire as more entities decide to try to hide breaches for fear of fines?
Are you satisfied with how your government has responded to breaches?
Update: Cervello Consultants thinks that the fines are needed in the UK.