P&Ps: The Common Denominator of Data Breach Findings

When regulators issue data security breach rulings, their findings most often mirror those recently described by Andrew Ceresney, Director of the SEC Enforcement Division: “_____________ failed to adopt written policies and procedures reasonably designed to protect customer data.”

That sentiment, stated in one variation or another, has been included in virtually every data security breach investigation over the past twenty years. Inadequate (or nonexistent) written data security policies and procedures are almost always the culprit. And, more importantly, the growing fines issued as a result of the breach are then based upon the negligence that is reflected by their absence.

True, there are some who blame human error. The Verizon 2022 Data Breach Investigation Report, for instance, stated that 82% of data security breaches in 2022 could be trace to “the human element.”

But not so fast Verizon. Doesn’t that simply mean that the those humans lacked the proper training? Doesn’t it mean that policies and procedures did not include the right instructions, or that the instructions were too vague, or that there was no effective testing or enforcement?

Sure policies and procedures are not going to stop an irresponsible rogue employee from ignoring their training. But that’s not the problem. That, regulators can understand and forgive. It’s why, for example, the amended HIPAA rules now allow for the prosecution of individual employees acting contrary to their training.

What regulators cannot forgive is when an organization has not created (or does not abide) by policies and procedures in the first place. That is a clear violation of every data protection regulation in the world and it is what those same regulators commonly refer to as “Willful Negligence.” And, when regulators find that, the pain is not far behind.

The moral of the story is this: While compliant data security P&Ps dramatically minimize the likelihood of a data security breach, they also make things much easier on the organization in the event something bad does happen.

It’s a no brainer.