UK: Average Data Breach Fines Double in last 12 Months

In the United Kingdom, law firm RPC released a report which reveals that the average fine for failing to protect against data breaches has doubled to £146,000 in the year to 30 September 2018.

ICO recently sanctioned the UK’s first GDPR enforcement penalty against AggregateIQ following an incident that saw data of up to 87 million Facebook users compromised. That particular fine is currently being appealed.

In the report, which you can read here, the law firm estimated that the total value of penalties imposed by the ICO in the period rose to £4.98m, up 24% from £4 million in the previous 12 months.

It listed three of the largest fines in the last year:

  • Carphone Warehouse, which was sanctioned with a £400,000 data breach penalty for failing to adequately protect customer and staff data
  • The British and Foreign Bible Society was fined £100,000 following a cyber-attack occurring that impacted personal data of 417,000 individuals
  • Equifax, which was hit with the highest possible data penalty notice of £500,000 for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017

It is important to note that all of these penalties were applied for breaches that occurred prior to the May 25 introduction date for the European Union General Data Protection Regulation. If they have taken place following this date then they could have been as high as €20m or 4% of annual global revenue, whichever figure is higher.

Richard Breavington, partner at RPC, commented that a doubling in the average size of a fine should serve as a “wake-up call to businesses”.

“Given that there seems to be no slowdown in the number of cyber-attacks today – businesses need to see how they can mitigate the risks to their customer when there is an attack,” he continued.

“For example, businesses should ensure that they take out cyber insurance policies so that they can bring in experts to contain the impact of an attack and limit the exfiltration of data.”

Business that operate in the European Union need to be conscious of the importance of fulfilling all of their requirements under GDPR in order to avoid massive fines like these. For example it is simply not enough to appoint a Data Protection Officers based in another country, such as the US. You must also appoint a European Union Data Protection Representative who will serve a local liaison in relation to your data protection management.