The security standards, laws, regulations, and compliance requirements are continuously becoming more complex (and expensive). Organizations are required to adhere to General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), California Consumer Privacy Act (CCPA), ISO 27001, NIST, and more depending on geography and industry.
It is one thing for an organization to keep on top of these regulations, it's another to make sure every employee also does so. For those employees who are not within IT, these requirements are rarely top-of-mind or even known. Giving these employees a way of learning and understanding regulations (even as they change) without slowing down work activities, helps a company to stay efficient and compliant.
Data breaches are getting more expensive; since GDPR’s inception, the EU has handed out fines worth $331 million. Approximately $192 million of those fines were given in 2020, showing a clear increase (ComputerWeekly). The largest data-breach related GDPR fines as of January 2021 include:
- British Airways (£20 million, approx. $27.3 million) - for “failing to protect the personal and financial details of more than 400,000 of its customers.” (UK’s ICO)
- Marriott International (£18.4 million, approx. $25.2 million) - for exposing personal data contained in approximately 339 million guest records, more specifically “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.” (UK’s ICO)
Similarly for the US, the CCPA started pursuing fines beginning July 1st, 2020 (Infosecurity Magazine).
The costs of a breach extend beyond the dollar value of the data and fines/penalties. A data breach can impact an organization’s reputation for months or even years. Some companies never recover; 10% of small companies, those with up to 500 employees, went out of business after a data breach (SC Magazine).