Security firm Halock posted a story about a $500,000 fine imposed by the FTC for lack of reasonable security. The post is at https://www.halock.com/500000-fine-paid-for-not-incorporating-reasonable-security.
The fine was the result of a 2019 data breach of online T-shirt company CafePress resulting in theft of over 22 million customers' data and more than 180,000 Social Security numbers. The website's owner, Residual Penguin, failed to implement the following security measures among others:
- Low-cost protection against well known vulnerabilities.
- Personal information was not encrypted.
- Use modern secure algorithims when encrypting passwords.
- Implement patch management policies and procedures.
- Delete unneeded user data in a timely manner.
Residual Penguin only detected the attack after it was informed three weeks later by a security researcher, and only realized its scope after receiving fraudulent orders. Although the breach took place in February, customers were not informed until September.
While a comprehensive Cyber policy would cover the fine as well as data breach costs (there could also be reputational risk from bad publicity), it's better to have good security in place with an incident response plan before a breach.