Law Firm Report: Average Data Breach Fines Double in last year

UK-based law firm RPC has published a report which shows that the average fine for not protecting against data breaches has doubled to £146,000 in the year to 30 September 2018.

ICO recently applied the UK’s first GDPR enforcement penalty against AggregateIQ following an incident that saw data of up to 87 million Facebook users impacted. That specific fine is currently being appealed.

The report also estimated that that the total value of penalties imposed by the ICO in the period rose to £4.98m, up 24% from £4 million in the previous 12 months. , You can read the report here.

It listed three of the largest data privacy breach fines from in the last year:

  • Carphone Warehouse, which was penalized with a £400,000 data breach penalty for failing to adequately protect customer and employee data
  • The British and Foreign Bible Society was penalized £100,000 after a hacking attack took place that impacted personal data of 417,000 individuals
  • Equifax, which was penalized with the highest possible data fine notice of £500,000 for not protecting the personal information of up to 15 million UK citizens during a cyber-attack in 2017

It is important to remember that all of these penalties were applied for breaches that happened before the May 25 introduction date for the European Union General Data Protection Regulation. If they have taken place later that this then they could have been as high as €20m or 4% of annual global revenue, whichever figure is larger.

Richard Breavington, partner at RPC, said hat a doubling in the average size of a fine should act as a “wake-up call to businesses. Given that there seems to be no slowdown in the number of cyber-attacks today – businesses need to see how they can mitigate the risks to their customer when there is an attack. For example, businesses should ensure that they take out cyber insurance policies so that they can bring in experts to contain the impact of an attack and limit the exfiltration of data.”

Companies that operate in the European Union need to be aware of the importance of meeting all of their requirements under GDPR in order to avoid huge fines like these. For instance, it is simply not enough to appoint a Data Protection Officers located in another country, such as the US. You must also select a European Union Data Protection Representative who will serve a local liaison on your data protection management matters.