Are companies sufficiently held accountable for data leaks caused by ransomware attacks?
Sort by:
They should be but they aren't, especially PII are leaked.
I see a lot of companies rely on cyber insurance to pay the ransom or cover the cost from a breach but if my data is affected there has to be some penalty. I think the laws should be stricter and any PII should be taken seriously and we need to have regulations that will protect PII like HIPPA is doing in the medical field.
I cringe every time I go to my tax accountant, because he has this old Dell computer with a zip drive attached to it. And I just hope that my data isn't on that zip disk somewhere. But in recent years, he's been filing it online, so I feel better that my data is somewhere else and not sitting on his shelf with the tax returns of all his other clients. There should be an equivalent of HIPAA violations for tax accountants too because I can break into his office and get everybody's tax records.
I sit in CISO roundtables at least once a day, and everybody's talking about frameworks to follow. That's important, but it's just another checkbox. I continue to have these conversations and see more companies get hit. I work for a preventative ransomware company, and the companies we're talking to have to follow very strict compliance. They're financial companies, manufacturers, and pharmaceutical companies who are losing the battle.
But lots of companies are recovering from ransomware. It's not affecting them. If they have a huge data breach, they're fine in a couple months, so who cares?
It's interesting because some of these companies are huge and it's not public news that they were attacked. They won't tell you that they got hit, but you can hear the desperation in their voice when they say, "We don't want our pipeline or manufacturing site to go down because every day it's down, we lose 5 million."
Companies have to be held accountable in the event of a data leak, especially if it's personal data. If it's their own company data, then they're already losing, but if it's other people's personal data, then they need to be held accountable for that.
Most companies are not being held accountable. Where I have been subject to breaches at credit card issuers and retailers, the settlement usually involves a one-year membership to an identity breach monitoring service, with much of the "penalty" directed to legal representation.
As Ajet pointed out, healthcare is the exception thanks to the teeth in laws protecting personal health information. Both providers and payers have been rightfully hit with hefty fines for breaches, and I have observed real improvements in their data privacy protection practices over the last 10 years.