Jay Cline: U.S. takes the gold in doling out privacy fines
* Security breaches the top cause. Over the last 15 years, security breaches were the most likely to draw a large fine. They accounted for some 35% of the sizable penalties in our database. Other privacy violations, such as disclosing personal data, either by accident or deliberately, and failing to provide opportunities for choice and consent were the next mostly like to trigger large fines. Each accounted for roughly 20%, respectively, of the large penalties in our survey.
* Top industries. Looking at fines by sector, healthcare providers, health insurance companies and drug stores account for the biggest share, 22%, of the large fines levied since 1999. Government entities at the national and local levels were faulted in 20% of cases, and telemarketers, providers of credit reports, loan collectors, market researchers and business-intelligence providers accounted for another 18%.
* Top geographies. Continental European data-protection authorities have chided their U.K. counterpart in the past for being too lax, but the evidence shows the Brits are the heaviest-handed in all of Europe. U.S. and U.K. regulators have, by a wide margin, imposed most of the large fines for privacy violations. U.S. regulators levied some 55% of the penalties exceeding $100,000 worldwide, with U.K. regulators following at 35%. The vast majority of fines levied by other EU and Asian privacy regulators, by comparison, fell below our $100,000 threshold.
I need here to confess the limitation of our analysis. Many privacy-enforcement actions outside the U.S. and U.K. don't find their way into the English-language press unless they're large amounts or levied against large multinationals. The Spanish privacy watchdog, for example, has reportedly taken 399 privacy-enforcement actions netting $26.7 million -- or $67,000 on average -- for the Spanish treasury over the past decade. Only one -- its December 2013 fine against Google for its Street View product, hitting its maximum level allowed by law of $1.23 million -- made the recent headlines in the English-language press.
U.S. leads gold-medal count for privacy fines, lawsuits
We also set out to rank-order the top privacy fines in history. When we did this, the U.S. dominated the leader board. (See Table 1)
Table 1: Top 20 government-imposed data privacy fines worldwide, 1999-2014
|Rank||Fined entity||Amount of fines and penalties||Year||Country||Privacy principles violated|
|1||Apple||$32.5M||2014||U.S.||Choice and Consent|
|3||$17M||2013||U.S.||Collection and Notice|
|8||Dish Network||$6M||2009||U.S.||Choice and Consent|
|9||DirecTV||$5.3M||2005||U.S.||Choice and Consent|
|12||Craftmatic||$4.4M||2007||U.S.||Choice and Consent|
|14||Barclays Bank||$3.8M||2013||U.S.||Use and Retention|
|15||Certegy Check Services||$3.5M||2013||U.S.||Accuracy|
|16||Playdom||$3M||2011||U.S.||Collection and Notice|
|17||The Broadcast Team||$2.8M||2007||U.S.||Collection|
|18||Equifax, TransUnion and Experian||$2.5M||2000||U.S.||Access|
|19||CVS Caremark||$2.3M||2009||U.S.||Security and Disposal|
|20||Norwich Union Life||$1.8M||2007||U.K.||Disclosure|
Government agencies aren't the only players that can make a company pay for its privacy wrongdoings. In some jurisdictions, individuals can join together in a class-action lawsuit and sue a company. In this manner, individuals make the long arm of the law stretch even further. This is nowhere truer than in the U.S., home to the top 10 privacy lawsuits in history. Like their government-enforcement cousins, these cases have also picked up steam in recent years, with 2013 alone registering four of the top 10 cases. (See Table 2)
More by Jay Cline
- Jay Cline: U.S. takes the gold in doling out privacy fines
- Jay Cline: Is privacy dead?
- Jay Cline: A growing cultural divide on privacy
- Jay Cline: What will Snowden leak next?
- Global winners and losers post-Snowden
- 7 reasons the FTC could audit your privacy program
- Google and the privacy Richter scale
- Jay Cline: Are medical-data breaches overreported?
- iPhone location-tracking incident boosts stock of 'privacy by design'
- Survey: The best privacy advisers of 2010
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Confront consumerization with convergence Virtualization expert Elias Khnaser spotlights the security, compliance, and governance issues that arise when enterprise users "consumerize" with shadow IT and public cloud...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!