Any time there’s a data breach, there are financial consequences. The average cost of a data breach is $3.86 Million4. In addition to noncompliance penalties and fines, consider these impacts:
often accounts for the bulk of breach costs because it includes high customer turnover and brand damages that hinder new growth.
including process breakdowns and lost employee productivity that could affect over half the business’s annual income.
including notifying individuals whose data was breached and hiring external experts to help resolve the breach and repair brand image.
for individual victims and their PII, and class action lawsuits are becoming one of the most expensive consequences of a breach.
can significantly derail business growth, competitive differentiation, and future sales.
for those in charge of and most tied to data, security, and IT and potential company-wide employee turnover.
Noncompliance penalties are enforced by the California Attorney General’s Office and range per violation, depending on intent behind the violation.
Starting January 1, 2023, enforcement will be handled by a new office, the California Privacy Protection Agency (CalPPA). This will also change the penalty for violations related to data of minors, in which case possible fines are tripled.
$7,500 – each intentional violation of the CCPA
$2,500 – each violation of the CCPA that isn’t deemed intentional
These fines are assessed only after notice has been given and a 30-day “opportunity to cure” has been provided.
Noncompliance penalties vary depending on the level of severity and negligence. Funds received through illegal or unethical business transactions are disgorged, or paid back, often with interest and/or penalties to those affected by the action.
Punitive damages apply to nongovernmental entities with a maximum $10,000 in individual actions and the lesser of $500,000 or 1% of the creditor’s net worth in class actions.
Loss/withdrawal of federal funding for the entire institution or agency.
Possible prosecution under criminal codes.
Noncompliance penalties range per violation (or per record), depending on the level of severity and negligence. Maximum penalty of $1.5 Million per year.
$100 – organization was unaware and couldn’t avoid breach
$1,000 – organization should’ve been aware but couldn’t avoid breach
$10,000 – organization neglected reasonable care but did attempt to correct violation
$50,000 – organization neglected reasonable care, and didn’t attempt to correct violation
Noncompliance penalties can reach as high as €20 Million (or $24 Million) or 4% of annual global revenue from the preceding financial year – whichever is greater. Fines depend on the nature, seriousness, length of the violation, and history of noncompliance.
Prevention of doing business with a temporary or permanent ban on data processing and suspension of data transfers to third countries.
Request to erase data to protect individuals’ personal information.
Noncompliance penalties extend to the financial institution/organization and individuals deemed in charge.
$100,000 – each violation for a financial institution
$10,000 – each violation for individuals in charge
Criminal charges with up to 5 years in prison for individuals found in violation.
Civil fines up to $1 Million per violation.
Criminal fines up to $1 Million per violation, 20 years imprisonment, and being barred from conducting any future export activities.
Noncompliance penalties are governed by the DOJ Criminal Justice Information Services Security Policy. Improper access, use, or dissemination of CHRI and NCIC Non-Restricted Files information may result in administrative sanctions.
Termination of services
State and federal criminal penalties