The headline-grabbing settlement by Equifax closes the books on investigations by the 50 state attorneys general, the Federal Trade Commission and the Consumer Financial Protection Board, as well as class action suits, arising from the disastrous data breach of 2017.
And the price tag, potentially up to $700 million, seems to open another chapter in a new era of heavy fines by regulatory authorities over data privacy; see also the proposed $5 billion penalty the FTC wants to levy on Facebook for the Cambridge Analytica affair and the $230 million that the UK Information Commissioner's Office, applying GDPR, is seeking from British Airways over the Magecart attack of 2018–that's more than 6% of the airline company's forecast 2019 operating profit
With the threat of regulatory fines leveling up – are the risk analysis capabilities of your organization up to meeting the challenge? RiskLens Risk Science Director Jack Freund says that "qualitative, red/yellow/green scales don't give you a clear picture of the potential magnitude of impact of a data breach" or guide you to make the right investments in security that will reduce your risk in financial terms. That's a job for quantitative risk analysis, using the FAIR model that powers the RiskLens platform.
In fact, a FAIR quantitative analysis could show that these latest fines may change the risk calculus for your organization less than you'd think, Jack says.
First, Jack suggests, separate the fines ($275 million) from the restitution payments to consumers (as much as $425 million, depending on how many take advantage).
To assess your liability for fines, ask yourself, how much your corporate profile looks like Equifax’s—and how much of an example regulators might want to make of you. For instance, Jack says, the FTC looks to go after companies that either make “egregious violations or novel violations” of privacy rules or security practices. And your public profile is probably not as high as Equifax’s, which holds data on just about every American.
Meanwhile, the restitution payout “only applies if a consumer can show damages,” Jack says. “Few will be able to show documentation of damages.” A claimant would have to document losses — attorney costs or credit monitoring, for instance — and show that they were directly the result of the Equifax breach, not one of the many other data leaks of recent times.
The real value to take away from these fines and settlements for a quantitative analysis, Jack says, is to set a range of what your organization’s penalties might look like in building loss scenarios on the RiskLens platform around GDPR or FTC action, for instance, or lawsuits in the U.S.
Equifax shows how bad losses could be, and Jack’s advice is to “scale up or down” in a range, depending on your company’s situation. After big news like Equifax, “be diligent in presenting risk analysis to draw the line between FUD and saying ‘here’s a better sense of what our fine might look like, based on quantitive risk analytics'."