Cybersecurity blog header

Cybersecurity and data protection: Companies face fines in the millions of dollars

- Ciber 4 All Team

The combination of cybersecurity and data protection is critical for companies

Cybersecurity and data protection are two closely related strategic issues, as a cyber-attack can lead to the breach of customer data

At the end of September 2024, the Irish Data Protection Authority fined Meta, one of the world’s largest technology companies, 91 million euros. Why? The company had stored the passwords of social network users in its internal systems without applying cryptographic protection or encrypting them.

This is not the first fine Meta has received. In 2023, Meta had already been fined 1.2 billion euros, the highest fine in history, and another 390 million euros for failing to comply with various provisions of the General Data Protection Regulation.

1. Latest sanctions related to cybersecurity and data protection on both sides of the Atlantic

The new sanction imposed on Meta in September of this year shows that cybersecurity and data protection are critical pairings for all companies in the digital era. Every day in the European Union, the United Kingdom and the United States, breaches of data protection regulations linked to cybersecurity deficiencies are detected.

In some cases, weaknesses in corporate cybersecurity structures are exploited by criminals to provoke security incidents that result in the theft of personal data of customers, employees and business partners, as well as secret and valuable business information.

For example, a few weeks ago, it became public that the Federal Communications Commission (FCC) had imposed a fine of 15.7 million dollars on T-Mobile, one of the world’s largest telecommunications companies. The penalty stemmed from several security incidents that had led to the leak of personal data of millions of customers, including critical information such as their Social Security or driver’s license numbers.

Along with the sanction, the FCC imposed on the company the need to invest another $15.7 million to optimize its cybersecurity structure to improve its cyber hygiene and strengthen its data protection mechanisms.

Below, we will break down the keys to the relationship between cybersecurity and data protection to help companies avoid sanctions, reputational damage and financial losses.

2. Data is a prime target for cybercriminals

Many of the cyber-attacks that are constantly being launched against companies are aimed at stealing personal data. It is enough to look at the news to see that this type of incident occurs regularly.

Just a few days ago, Casio, a Japanese multinational of technological products such as watches and audio equipment, confirmed that a ransomware attack against its systems had caused:

  • Disruptions in its activities.
  • The theft of personal data of employees, business partners, job applicants and customers.
  • Access to critical information such as contracts with partners, invoices, sales, legal documents, audits or technical information.

Only a year earlier, Casio had suffered a leak of customer information from 150 countries after malicious actors accessed data stored on a web application server.

Why do cybercriminals target personal data?

  1. They can be used to extort companies by demanding ransom payments in exchange for returning the data or not making it public.
  2. They can be used to launch future attacks against the people whose data has been obtained. In fact, we are currently experiencing a wave of digital fraud that originates from data theft.
  3. They can be easily traded on the Dark Web for use by other malicious actors.

3. Personal financial information is the jewel in the crown

Cyber-attacks aimed at stealing the personal data of customers or employees target companies in all sectors. However, one area is particularly affected by these threats: finance. Why is this the case?

Cybercriminals can use the personal data obtained to directly attack customers of financial institutions and commit lucrative financial fraud.

For example, the company VIVUS, which specializes in online loans, suffered a security incident in which the attackers obtained customer data such as ID or means of payment. With this information, they impersonated VIVUS customers, accessed the company’s platform and requested loans in their name, which were granted automatically. They then impersonated company professionals and asked the defrauded customers to repay the loans to an account under the control of the malicious actors.

The Spanish Data Protection Agency (AEPD) concluded that VIVUS had failed to comply with its cybersecurity and data protection obligations and imposed two fines of €600,000, which were reduced to €360,000 upon voluntary payment.

This incident is not isolated; financial institutions have always been at the forefront of the fight against cyber-attacks. The regulatory framework is more demanding for companies in this sector, as evidenced by the implementation of the DORA regulation.

The protection of customer and employee personal data is essential for companies

4. GDPR: Cybersecurity and data protection in the EU

Given the scenario we have just described, no one can be surprised that in the last decade, various regulations have been approved to ensure the data protection of citizens and companies.

Thus, 2016 saw the light of day the General Data Protection Regulation (GDPR), a pioneering rule for curbing how companies and institutions treat, store and use citizens’ personal data.

The GDPR allows us to observe the close relationship between cybersecurity and data protection, as it imposes four major cybersecurity obligations on organizations.

4.1. Ensuring integrity and confidentiality

Data processing must ensure the security of information (Article 5.1.f.). This implies that organizations must have adequate technical and organizational mechanisms in place to safeguard the integrity and confidentiality of data against:

  • Unauthorized or unlawful processing.
  • Loss, destruction or alteration of information.

4.2. Maintaining an adequate level of security

An adequate level of security must be ensured according to the risk (Article 32.1.). This implies:

  • Performing encryption of personal data or anonymizing them.
  • Optimizing the resilience of data processing systems.
  • Having the ability to restore access to personal data in the shortest possible time in the event of an incident.
  • Continuously assess that cybersecurity measures ensure data protection.

Security level assessments must consider the risks associated with data destruction, unlawful alteration or unauthorized access (Article 32.2.).

4.3. Notification of personal data security breach

Organizations must notify the competent authorities of any personal data breach within 72 hours of becoming aware of it (Article 33). This notification must include the possible consequences of the incident or the measures to remedy it.

In any case, the data controller must document everything related to the personal data breach: what happened, what the consequences were, how it was acted upon, and what measures have been put in place to correct the cybersecurity and data protection deficiencies…

This documentation will allow the competent authority to verify whether or not the organization complied with its cybersecurity and data protection obligations.

4.4. Notifying the affected parties

In addition to notifying the competent authority, companies and administrations that detect a data security breach must inform data subjects if they believe that the incident may affect their rights and freedoms (Article 34).

This communication is not mandatory if any of these three conditions are met:

  • It has implemented the necessary technical and organizational measures to render the data subjects’ data unintelligible.
  • Subsequent measures have been implemented to ensure that the risk will not materialize.
  • Informing all affected persons is disproportionate. In this case, a public communication should be made.

The regulation also states that, if the organization has not informed the data subjects about the breach of their personal data, the competent authority may require it to do so if the incident poses a high risk.

5. Financial penalties in cybersecurity and data protection matters

The RGPD confers a wide range of functions to the competent data protection authorities, which, in our country, is the AEPD. Within its catalog of powers is the possibility of imposing financial penalties such as the one that the Irish Data Protection Authority issued against Meta.

With regard to breaches of cybersecurity and data protection, the regulation provides for two different administrative fines:

  • If Articles 32, 33 or 34 are breached, they can impose administrative penalties of up to €10 million or 2% of the company’s annual worldwide turnover, with the higher amount to be chosen.
  • If Article 5 on the basic principles of data processing, including security, is breached, fines can be up to €20 million or 4% of worldwide turnover for one year.

On the other side of the Atlantic, the fines are also in the millions, as evidenced by the T-Mobile case and other recent cases, such as the one involving the Marriot hotel group. The Federal Trade Commission (FTC) has forced the company to implement an effective information security program after being the victim of multiple cyber-attacks that led to millions of consumers’ data theft.

In addition, the company agreed with 49 states to pay $52 million for its cybersecurity and data protection breaches.

Failure to comply with cybersecurity and data protection measures can lead to severe penalties

6. Beyond fines: Severe reputational damage and heavy financial losses

Financial penalties can be so high that they can significantly impact a company’s finances. In addition, there are three other serious consequences of security incidents involving data breaches:

  • High incident management costs. Beyond the fines, companies must invest a large amount of financial resources in managing incidents, investigating them and implementing measures to prevent them from happening again.
  • Direct economic losses if the hijacking of personal data impact the company’s operations and its ability to carry out its activities and provide service to its customers. We must add economic damages from the loss of customers or legal proceedings that end with the obligation to compensate the persons whose data have been violated.
  • Unquantifiable reputational damage. If an individual sees his data fall into the hands of cybercriminals and even becomes a victim of fraud, trust in the company affected by the data breach will be shattered forever. The leakage of personal data after successful cyber-attacks irreparably damages the reputation of the companies that suffer from them and undermines their relationship with customers, partners and employees.

7. What can companies do to protect their data against cyber-attacks?

The relevance of cybersecurity and data protection is nowadays unavoidable. Data breaches have become a major threat to companies. This is true not only for large companies but also for SMEs.

So far this year, the AEPD has not only sanctioned large corporations, but we can also find fines for small or medium-sized companies that lack sufficient cybersecurity and data protection measures. Moreover, entities operate in sectors as diverse as tourism or healthcare.

To comply with current regulations and prevent a cyber-attack from resulting in the theft of personal data, companies have a wide range of cybersecurity services at their disposal that can be adapted to their needs and resources.

7.1. Cybersecurity services to optimize prevention, detection and response to attacks

  • Security audits. These are essential when evaluating measures and mechanisms to protect the personal data of customers, employees or partners, such as data encryption.
  • Penetration testing. Advanced penetration testing helps to detect vulnerabilities that malicious actors could exploit to steal personal data.
  • Vulnerability management. To monitor vulnerabilities affecting corporate systems, prioritize their remediation and manage their entire life cycle.
  • Red Team exercises. Companies more mature in cybersecurity can undergo Red Team exercises focused on simulating ransomware attacks. What is the purpose? To test how defensive mechanisms work, train professionals in charge of the organization’s defense and optimize detection and response capabilities.
  • Incident response. Proactive incident response services can respond to any attack in less than 1 hour, contain the hostile actor and expel it in the shortest possible time and with maximum guarantees. Optimal incident response can prevent cyber criminals from achieving their goals and gaining personal data control.

In short, cybersecurity and data protection are two areas of enormous importance for companies in today’s fully digitalized world. In addition, cybersecurity strategies play an extremely important role in protecting the data that companies store about themselves, their employees and customers.

Cybersecurity services are essential to ensure data protection, prevent malicious actors from gaining access to personal data, resolve incidents and avoid fines in the millions for data protection violations.