Companies get off too easy with data breaches. Bigger fines are a good place to start

Editor’s note: Will Carter is deputy director of the Technology Policy Program at CSIS. The opinions expressed in this commentary are his own.

    (CNN) — On Tuesday, Capital One announced that over 100 million customers’ personal data was exposed in a major data breach. It’s one of the largest ever.

In a January 2017 poll, 64% of Americans said they had personally experienced a data breach. How many will there be in 2019, when breaches of more than 100 million records are becoming the norm? At what point will the US government say enough is enough?

For years, the private sector has pushed back on efforts to regulate cybersecurity, arguing that market incentives will do a better job of driving companies to invest in cyber defense than regulations. Customers will flee companies that do not protect their data, the logic goes. Investors will rebel and hold companies accountable for the damage to their brand. And the direct cost of responding to a data breach will hit companies’ bottom line.

But the steady stream of major breaches in the last few years has exposed the truth: Data breaches have little to no long-term impact on companies’ business. Why invest in defense when data breaches do not hit your bottom line?

And many companies struggle to invest in the mundane and tedious details that are at the heart of most breaches. The solution is not more “cyber ninjas,” network monitoring, threat intelligence services or dynamic firewalls. Many major data breaches, including the Capital One breach, are the result of insider threats or sloppy configuration and maintenance — things that are not difficult to fix, but take time, money and effort to consistently manage.

In November 2018, Marriott announced one of the largest data breaches in history, which exposed close to 400 million customers’ records. There was little impact on Marriott’s business. In March, Marriott’s CEO confirmed that the breach had no impact on customer retention or on the company’s revenue. Investors were also unfazed — Marriott’s stock is up about 15% since the announcement. And the direct cost of dealing with the breach? Just $72 million so far, $71 million of which was covered by insurance. Marriott reported $1.9 billion of net income in 2018.

Capital One will likely fare much better. According to Capital One, the alleged hacker behind the breach, Paige Thompson, does not appear to have used or sold any of the stolen data. Capital One said it will offer free credit monitoring for affected customers, and it’s likely the company will cover some costs of the investigation and address any vulnerabilities it finds, but this will be a drop in the bucket for a company with $32 billion of annual revenue. It expects to pay between $100 million and $150 million.

The reality is simple: Cyber incidents cost the global economy hundreds of billions of dollars every year, but the way that those costs are distributed means that companies have few incentives to make the necessary investments to stop data breaches. This is where governments come in. When the market fails to incentivize good behavior, regulators must step in to change those incentives.

In the case of data breaches, the biggest cost for most companies comes not from the market, but from fines imposed by governments. The $72 million of direct cost Marriott experienced from its data breach is dwarfed by the $124 million fine that the British data protection authority imposed on the company for failing to protect customers data. Under the European Union’s General Data Protection Regulation (GDPR) companies face fines of up to 4% of their annual global revenue for exposing EU citizens’ data. The United States has no comparable law to impose costs on companies for data breaches.

The United States needs a comprehensive new approach to managing data breaches that creates real incentives for companies to protect their customers’ data. We need a national data breach disclosure law that imposes consistent requirements on companies to disclose breaches to customers and to regulators. And we need to impose large enough monetary penalties that it is cheaper for companies to invest in security than to pay for the costs of a breach. Facing massive potential fines of up to 4% of their global revenue under GDPR, boards and executives can not only justify significant investment in cyber defense, they can demand it.

But raising the costs for companies alone is not enough. We must also raise the cost to criminals who steal our data. The most remarkable thing about the Capital One hack is not the size of the breach or the fact that it hit one of the US’s largest banks — it is the fact that the hacker was arrested. Most aren’t.

Cybercrime is largely consequence-free. Exact statistics on the prevalence of cybercrime and number of prosecutions are hard to come by, but experts agree that far less than 1% of cybercrimes ever result in an arrest. One study estimated the arrest rate for cybercrimes could be as low as 0.05%. Prosecutions are even more rare. For example, despite an estimated 1.7 million cybercrimes committed in the UK in 2017, authorities there prosecuted just 47 cybercrime cases.

Cybercriminals are protected by the broken international law enforcement system that makes it nearly impossible to investigate cybercrimes — the vast majority of which cross international borders — much less extradite criminals to be prosecuted. In those rare cases when cybercriminals are brought to justice, it is often the result of multi-year, multi-million dollar collaborations between elite cyber units at law enforcement agencies around the world.

The May takedown of the GozNym crime group, for example, involved a coordinated operation of six different countries. Even then, of the 10 suspects indicted, five remain on the loose, believed to be hiding in Russia, a country with a checkered record of cooperating with cybercrime investigations.

That level of resources and attention can only be expended on the most significant and serious cyber incidents, leaving millions of smaller incidents uninvestigated. Even in relatively simple domestic cases, under-resourced law enforcement agencies lack the talent and tools, and often the authority, to gather the evidence to effectively prosecute cybercrime. Law enforcement must be brought into the cyber age.

Cybercrime costs the world economy nearly 1% of global GDP, and that number will only continue to grow unless we change the consequences for cyber attackers and defenders. The market has failed to drive firms to invest in security. It is time for the US government to follow the lead of other countries and the EU and impose real costs on companies that fail to protect their customers’ data and to prosecute those who commit the crimes.

Notice: you are using an outdated browser. Microsoft does not recommend using IE as your default browser. Some features on this website, like video and images, might not work properly. For the best experience, please upgrade your browser.