Laws and processes exist to prosecute data controllers in the event of a data breach. Punitive measures are intended to incentivise data controllers to better protect consumers data to avoid punishment.
Most G20 countries have data protection laws that, at minimum, enforce a monetary fine.
European Union: The General Data Protection Regulation allows the levying of a fine for €20 million or 4% of global turnover for an organisation. Section 82 of the GDPR states that data subjects have a right to compensation for “material or nonmaterial damage”. Data controllers are exempt from liability when they can prove they are not responsible for the data breach.
Brazil: The Brazilian Regulatory Framework for the Internet enables a 10% fine on domestic gross income and a potential temporary suspension of data collection activities. This fine is proportionate to the nature of the data breach. Consumers are able to bring a data breach case to court for material and nonmaterial damages.
India: A data controller that doesn’t implement reasonable security practises is “liable to pay compensation for any wrongful loss or wrongful gain”. Claims below 50 million rupees are handled by the Department of Information Technology at state government level, claims above this are handled by civil courts. A data controller that discloses personal data without the consent of the subject may be liable to three years imprisonment, a maximum fine of around $7,500 or both.
Japan: Responsibility for data protection regulation is shared in Japan. The Ministry of Economy, Trade and Industry and the Financial Service Agency investigate companies for data protection compliance. They can issue a corrective order if they are found to be non-compliant. If a data controller fails to follow a corrective order, they may be liable for imprisonment up to six months or about a $2,600 fine.
Could drive organisations to be less transparent about breaches.
Accountability for breaches could be hard to pinpoint due to complex arrangements between service providers and third parties.