Fines for security breaches not viable in Asia

The introduction of fines by Asian regulators may not help to reduce the number of security breaches because regulatory compliance in the region is still not at a mature stage. It is also difficult for regulators to track security breaches and quantify the fines.
Imposing fines may not be the best solution to encourage companies to take better care of their IT Security, Mark Goudie, principal risk investigator at Verizon's enterprise solutions, pointed out.

According to Goudie, businesses still continue to fail to maintain compliance in spite of steep penalties. He cited the Verizon Payment Card Compliance Report last year which found most businesses accepting credit cards continue to struggle to achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS).

It is also impractical as fines often do not amount to as much as the cost of making an IT infrastructure secure, he added. It is far more effective to have a robust security strategy and keep abreast of new security technologies to address the everchanging threat landscape, he explained.

The challenge in implementing fines for security breaches often revolve around enforcement and tracking the occurrences of such security breaches, Edison Yu, research manager of ICT Practice at Frost & Sullivan Asia-Pacific noted.

With the proliferation of dynamic and complex cyberattacks and breaches, governments cannot treat security breaches as isolated incidents and simply introduce a tracking approach and rigid punishment structure to police it, he explained.

It is also difficult to peg the amount of fine imposed to the breaches in question without a proper measurement system in place, Yu added. He said it was just as important to look at how enterprises remediate and recover from a security breach.

Regulatory compliance in Asia-Pacific not ripe
Regulatory compliance is still at a "nascent stage" in many countries across the region, Yu pointed out. In cases where data and privacy protection regulatory compliance have been introduced, many of them perceived to be guidelines and enforcement practices are still "weak", he explained.

As such, very few companies in Asia-Pacific have been fined for security breaches and the concept of "fines" has yet to be seen as a viable measure to minimize security breaches, Yu said.

Fines not completely effective
When a security breach is made public, enterprises are generally concerned about the adverse impact on their reputation and customer confidence levels, the Frost & Sullivan analyst noted.

So instead, combining a fine with the consequence of public perceptions of incompetence may prove to be a more effective deterrent than a fine alone, he added.

At the moment, Europe, the U.S. and Australia have legislations imposing obligations of monetary penalties and public notifications on firms who fail to hold personal data securely, Elle Todd, partner at law firm Olswang pointed out.

In Asia, Singapore's personal data protection bill, passed on Monday also contains a general obligation to keep data secure--similar to that in European legislation--with a breach of this provision liable to a fine of up to S$1 million (US$820,000), the lawyer added.

Disclosure may be more effective
Forcing enterprises to come clean and be transparent with their security breaches may prove to be more effective than simply imposing fines, since the consequences associated with the former tend to be more serious, Yu advised.

Having a fine imposed, without the case going public, may eventually be perceived as nothing more than "a slap on the wrist", especially with resource-rich enterprises and if the amount imposed is not significant enough, he explained.

Should regulators decide to impose a penalty, the amount should be pegged to the severity of the security breach which occurred, Yu advised.

The concept of "safe-habor", or ensuring compliant organizations do not get fined even if they are breached should be applied, Goudie added.

These organizations that have complied with industry standards should not be fined as their security standards are already higher than their peers, he explained.

Regulators must draw a line between organizations compliant at a point in time and those that are compliant when they have a computer security incident, and only the latter should be given safe habor, he noted.

"The impact of fines should also be viewed in terms of their relevance to various scenarios and different target audiences," he said. "It is thus important to discard the ‘one size fits all’ mentality when we are looking at meting out fines as punishment."