Average data breach fines have doubled as ICO hints at higher fines

News by Tom Reeve

The average fine against an organisation for a data breach doubled last year from £73,191 to £146,412 per incident.

The maximum allowable £500,000 fine levied by the Information Commissioner’s Office (ICO) against Facebook last week is a precursor of things to come as research suggests that the ICO has been ramping up its fines ahead of the introduction of GDPR.

Law firm RPC’s research found that pre-GDPR fines nearly doubled between 2017 and 2018. It found that the average value of a fine issued for failing to protect against data breaches rose to £146,412 in the year to 30 September 2018, up from £73,191 the previous year.

Meanwhile, the total value of fines issued by the ICO reached £4.98 million, 24 percent higher than the previous year and a significant rise on three years ago.

The introduction of the GDPR is widely expected to result in higher fines for larger businesses, RPC said.

The ICO last week confirmed a £500,000 fine against Facebook, originally announced in July. It was the maximum amount allowed under the Data Protection Act 1998. The ICO said that the fine would have been considerably higher under the GDPR which came into force on 25 May this year but cannot be applied to this case due to the timing of events.

Three other big fines in the past year were against:

  • Equifax – fined £500,000 for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017

  • Carphone Warehouse – fined £400,000 for failing to adequately protect customer and employee data

  • The British and Foreign Bible Society – fined £100,000 following a cyber-attack that compromised personal data of 417,000 people

Facebook fined maximum of £500,000 by ICO

The ICO has justified fining Facebook the maximum amount of £500,000 as allowed by the DPA 1998 saying the social media giant had committed serious breaches of data protection laws between 2007 and 2014 by processing users’ personal information without their informed consent. It relates to the activities of an app developed by Dr Aleksandr Kogan and his company GSR which allowed it to harvest the Facebook data of up to 87 million people worldwide. It is estimated that one million UK users were affected.

Many of the affected people would have been friends of people who signed up to use Kogan’s app but were not informed that Facebook would allow their data to be harvested without their knowledge or consent.

Some of the harvested data was shared with SCL Group, the parent company of Cambridge Analytica.

Although the GDPR came into force in May along with the Data Protection Act 2018, no fines have been issued under its terms yet. However, on 6 July the ICO did serve an enforcement notice under the GDPR against the Canadian company AggregateIQ Data Services Ltd, which has links to Cambridge Analytica and SCL.

The GDPR allows for fines of up to €20 million (£17m) or four percent of an organisation’s global turnover.

Despite extensive preparations for its introduction, many companies still appear to be unprepared for GDPR. It requires companies to not only seek permission from users to process their personal information but also to employ effective cyber-security technology and procedures to prevent data breaches or at least mitigate their impact.

David Emm, principal security researcher at Kaspersky Lab, said: "Customers that entrust private information to the care of any online provider, should be safe in the knowledge that their data is stored securely. However, in the past year alone, many companies including four airlines announced they had suffered from data breaches, which demonstrates that the security solutions in place still aren’t strong enough.

"With data breaches happening more frequently, it’s no wonder that the fines are increasing. Companies that are not taking proper and adequate measures to protect their customers should face the consequences for their lack of care.

Data protection specialist Jon Baines from solicitors Mishcon de Reya told SC Media UK that the ICO will take into account organisations’ reasonable efforts to secure their data when assessing the level of fines.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews