The Best Way for Businesses to Avoid Data Breach Fines

September 12, 2014

Having your business bank account hijacked by cybercriminals could bankrupt your company, but that type of breach isn’t really what law enforcement cares about. They are concerned with only one thing: how well you protect information which can “uniquely identify” other people or Personally Identifiable Information (PII).

Both the European Union and the United States (at a Federal level) are attempting to unify breach reporting requirements. The EU wants their 28 member countries to have the same rules, and the US wants the requirements for each state to be unified. Currently, there are three US states that have no laws regarding breach reporting. Here you can see what the rules are in the US, for your respective state.


Once a unified breach law exists – and the EU are very rapidly moving toward this goal, with expectations it will be in place by the end of 2014 – what will compliance look like? How can we reduce our risk of being fined for non-compliance? Let’s start with the basics of what breach law dictates:

–        To whom the breach must be reported

–        How soon it must be reported

–        Remediation requirements – end-user education, credit protection service, etc.

–        Penalties and fees:

o   For not reporting

o   For damages – actual or potential

o   For not having “compliant” security in the first place

When it comes to assessing a fine, the effect could be quite painful. The EU is suggesting “up to 2% of turnover” (in the US, this term correlates to “gross income”) for failure to report. There is some good news for small and medium businesses: SMEs will not have as stringent reporting requirements as larger companies, nor will they be fined for the first “non-intentional compliance”. However, given the often subjective nature of some breach language, as soon as you become aware of a breach involving PII, consult a lawyer to be sure you understand your obligations and options and in the meantime, consider outsourcing the safe-keeping of all PII.


It’s far more likely that you will escape brand damage if you can at least point to a seemingly reliable 3rd party as the one who was breached. Additionally, as long as you are reasonably diligent in terms of vetting the 3rd party company, compliance, remediation and fines may be their responsibility.

If your business is part of a sector that is getting hit hard by breaches, it’s not a bad idea to mention that you outsource the storage and protection of all PII. Even if it causes only a few hackers to bypass your company as a target, it will be worth it.

Don’t forget, employee information is also PII and such data should be accessible by very few people. Every employee who has access to such data should also understand that PII should never exist – whether at rest or while moving across a network – outside of an encrypted state. This means any media used to move PII or to back it up, such as a thumb drive, must be encrypted as well. (Here you can learn more about how to encrypt almost anything.)

Admittedly, the US and EU aren’t likely to begin enforcement of any new rules before 2016 (except selectively, in the case of very public breaches) so there’s still time to plan. But do put “PII management” on your list of things to consider over the next year or you could end up exposing your business to some very expensive consequences.