Month: January 2025

Posted on

Why Faceless Companies Never Pay for Data Breaches and What Can Be Done

Data breaches are a growing issue in the digital age, exposing sensitive personal information like credit card details, medical records, and social security numbers. Despite the significant risks these breaches pose to consumers, many companies fail to face meaningful consequences for their role in these incidents. This article explores why companies often avoid paying for data breaches and provides practical steps both businesses and individuals can take to mitigate these risks.

Why Companies Avoid Paying for Data Breaches (especially in the US)

Weak Legal and Regulatory Frameworks

One of the main reasons companies avoid significant penalties after data breaches is the inadequacy of current legal frameworks. While laws like the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the United States are steps in the right direction, penalties are often insufficient when compared to a company’s total earnings. For instance, under GDPR, companies can be fined up to €20 million or 4% of annual turnover, but these fines are rarely substantial enough to act as a true deterrent for large corporations. Even when penalties are imposed, they often fail to impact the company’s bottom line in a meaningful way.

Externalized Costs

Another reason businesses avoid the consequences of data breaches is that many of the costs are externalized. The financial burden of a breach often falls on consumers, who may experience identity theft or fraud, while companies may rely on cyber liability insurance to cover immediate costs. This allows companies to minimize their financial exposure, while consumers deal with the long-term effects, such as the time and effort needed to resolve identity theft or credit issues. This externalization of costs weakens the incentive for companies to invest in stronger cybersecurity measures.

Risk Management via Insurance

Many companies also treat data breaches as an inevitable risk and factor potential breach costs into their overall risk management strategy. Instead of investing heavily in cybersecurity, businesses often purchase insurance policies that cover breach-related expenses. This approach allows companies to continue operating with minimal disruption and without facing significant financial consequences, which reduces the incentive to invest in more robust cybersecurity infrastructure.

What Can Be Done?

Strengthening Regulations and Penalties

Governments need to strengthen data protection laws and impose more substantial penalties on companies for failing to protect consumer data. For instance, penalties should be scaled based on the severity of the breach and the size of the company, ensuring that large corporations with greater resources face significant fines. Additionally, businesses should be required to compensate affected consumers for the direct financial losses caused by breaches, including fraud and identity theft, to hold companies fully accountable.

Increasing Corporate Accountability

Companies need to prioritize cybersecurity at the executive level. Appointing a Chief Information Security Officer (CISO) who reports directly to the CEO and board would ensure that data protection is embedded in the company’s overall business strategy. Regular audits, increased employee training, and the implementation of best-in-class cybersecurity measures should become standard practices. Businesses should also adopt a proactive approach to security, such as conducting regular penetration testing and updating their systems to defend against new threats.

Actions for Consumers

While businesses hold primary responsibility, consumers can also take steps to protect themselves from the consequences of data breaches:

  1. Use Secure Communication Tools: When sending sensitive information, avoid unencrypted email and text messages. Instead, use secure alternatives such as ProtonMail for email or Signal for text messaging. These platforms use end-to-end encryption, ensuring that only the intended recipient can read the message, making it far more secure than traditional email or SMS.
  2. Enable Two-Factor Authentication (2FA): Whenever possible, enable 2FA on your accounts. This extra layer of security makes it more difficult for hackers to access your accounts, even if they manage to steal your password. Favor hardware keys or Passkeys and never use the least secure SMS for 2FA.
  3. Monitor Financial Accounts and Credit: Regularly check your bank and credit card statements, as well as your credit report, to catch unauthorized transactions or signs of identity theft early.
  4. Use Strong, Unique Passwords: Utilize a password manager to generate and store complex, unique passwords for each account. Avoid reusing passwords across different platforms.
  5. Be Cautious of Phishing Scams: Always be suspicious of unsolicited emails or messages, especially those that ask you to click on links or provide personal information. These are common tactics used by hackers to steal sensitive data.
  6. Use Encryption Tools: For particularly sensitive communications, use encryption tools like VeraCrypt for file encryption or Cryptomator for cloud storage encryption. These tools can help protect your personal data from unauthorized access.
  7. Let these companies know it’s NOT OK for them to have your information hacked (in plain, unencrypted data) from their lacking IT practices, social engineering, or whatever the weak links they have are. Demand that they use encryption on their servers to safeguard your information so, if compromised, your data is gibberish to the attackers.
  8. Contact your Congressional Representatives to demand they introduce legislation to severally punish companies who have sensitive consumer data hacked, leaked, or similar.

Conclusion

While companies often escape the true financial consequences of data breaches, there are steps both businesses and individuals can take to reduce the risks and improve security. Strengthening legal penalties, ensuring greater corporate accountability, and promoting a culture of cybersecurity within businesses are key measures to address this issue. Consumers can also take practical steps, such as using secure communication tools like ProtonMail and Signal, enabling 2FA, and practicing vigilance in monitoring their personal information. By taking these actions, individuals and businesses alike can better protect sensitive data and minimize the impact of data breaches in an increasingly connected world.

Please read our disclaimer on our home page…