Data Breaches 2023: Consequences of Non-Compliance with Privacy Laws
Consumer privacy laws and the consequences of non-compliance with privacy laws continue to take the front seat in 2023 (a trend not just limited to 2022).
Just look at this week’s news headline for an example: [Insert major financial organization] sued for negligence in data breach that affected 35,000 users.
This data breach lawsuit comes to light as the organization in question allegedly failed to comply with FTC guidelines for data protection.
The suit asks for an “unspecified amount of monetary damages for violating the various consumer protection laws and as equitable relief, funding for lifetime credit monitoring and identity theft insurance, and more.”
Privacy laws and penalties are increasing exponentially
Consumers are fed up, creeped out, and feel powerless when it comes to their data.
In fact, state-level momentum for comprehensive privacy bills is at an all-time high. The sudden spike in privacy bills is no coincidence.
Safeguarding the data and respecting the privacy of consumers has never been of more importance, as it’s the only direct path to building trust.
Penalties for negligence and the consequences of non-compliance with privacy laws have skyrocketed in recent years.
For context, let’s look at some of the largest data breach fines of all time:
1. Didi Global: $1.19 billion (2022)
2. Amazon: $877 million (2021)
3. Equifax: (At least) $575 Million (2017)
4. Instagram: $403 million (2022)
5. T-Mobile: $350 million (2022)
6. Meta (Facebook): $277 million (2022)
7. WhatsApp: $255 million (2021)
8. Home Depot: ~$200 million (2014)
9. Uber: $148 million (2016)
10. Google Ireland: 102 million (2022)
You’ll notice seven out of the ten in the list above occurred within the last two years – a clear message from regulators that non-compliance with privacy laws is no longer an option if a breach occurs and will result in serious consequences.
We’re three months into 2023 and the data breach headlines keep coming. Here’s the top six 2023 high-profile data breaches to keep on your radar:
- Chick-fil-A: March 2023
- Activision: February 2023
- Google Fi: February 2023
- T-Mobile: January 2023
- MailChimp: January 2023
- Norton Life Lock: January 2023
Inefficiency will cost you more than just fines
The effect of privacy incident management ripples across teams and impacts organizations as a whole. Beyond regulatory fines or even class action settlements, consequences of non-compliance with privacy laws often follow a brand for years in its wake.
Delays in incident response may lead to over- or under-notification
Homegrown solutions to incident management, such as spreadsheets and email, don’t address the time-critical requirements to evaluate an incident in the context of applicable laws, determine whether it is a breach, and what notification obligations might be required.
These manual processes create inconsistency and extend notification timelines. Due to the inherent subjectivity in this process, your team may end up over- or under-notifying.
Both under- and over-notification carry risk, and only automation can help you develop a repeatable and defensible incident management process.
Non-compliance with privacy laws can lead to reputational damage
Under notification can result in fines and penalties due to negligence and non-compliance.
These data breach fines can draw negative attention to your brand in the news and can lead to decrease in trust from your customers, third-party relationships, investors, and regulators.
What should you prioritize to mitigate privacy risk and build trust?
How exactly can your organization avoid penalties and reputational harm from privacy incidents?
The 2023 Cisco Data Privacy Benchmark study outlines priorities for building consumer trust from two views – consumer and organizational.
The top three shared priorities to build trust are as follows:
- Provide clear information as to how consumer data is being used
- Refrain from selling consumer information
- Comply with all relevant privacy laws
By making privacy a priority at your organization, investing in tools and processes that mitigate risk and speed time to incident resolution, organizations stand to reduce the consequences of non-compliance with privacy laws.