The cost of complying with privacy and security regulations is high, so high that many companies — whether deliberately or negligently — fail to implement the protections and processes that would keep data safe. Security requires investment in process, staff, and technology, but as a recent study from Ponemon shows, not making that investment is likely to be the more expensive course of action.
The study shows that organizations that don’t comply with data protection regulations can expect to pay out 2.71 times more to become compliant and prove that compliance than an organization that complied from the start.
The cost of compliance has risen sharply in the past few years, and it’s likely to rise even further with the introduction of the GDPR in May 2018. Since 2011, the average cost of compliance has risen by 43% to just under $5.5 million.
While it’s easy to see why a server hosting client would want to avoid that cost burden, the cost of non-compliance is even higher. In the same period, the average cost of non-compliance rose from $9.4 million to $14.8 million.
There are many consequences to non-compliance, not the least of which is fines and the data breaches that have become a ubiquitous part of our lives in 2017. It’s likely that everyone has friends or family impacted by the Equifax data breach, even if they weren’t one of the 143 million people whose private data was stolen.
In addition to the damage data theft incidents cause to a business’s reputation, fines, incident response costs, legal costs, and loss of business have to be factored in.
To take HIPAA as an example, businesses can be fined up to $1.5 million for each violation, not to mention prison terms of up to five years for knowingly breaching HIPAA rules — if the violation was malicious, prison terms rise to ten years.
If non-compliance costs exceed the cost of compliance, why do so many businesses fail to properly protect data? Part of the problem is short-term thinking by executives. Until a serious incident occurs, there is little cost to not investing in the necessary precautions. It’s human nature to think that they won’t be the ones who are caught out.
As an industry, we tend to focus on the technical causes of security incidents, from which it follows that the solutions are technological. In reality, security is about process and incentives.
The Equifax breach was caused by a vulnerability in Apache Struts, a vulnerability that had been patched by the project’s developers months earlier. There was ample opportunity to upgrade, and yet it didn’t happen. It’s not that Equifax didn’t have the resources to implement an adequate upgrade and patch management process. No one did the necessary work because the processes and incentives that would guide and motivate them weren’t in place.
The cost of non-compliance is enormous and although the cost of compliance is rising, over the long term it’s less expensive than a serious data breach.