A US health insurance company has agreed pay $115 million as settlement amount following a large scale data breach that compromised personal details of over 79 million customers.
This is the largest settlement amount ever for a data breach but once GDPR is implemented, fines levied on UK firms could be equally high.
Anthem Inc., the largest health insurance company in the US, has agreed to pay $115 million as settlement amount to around 79 million customers whose personal detailed were compromised following a large-scale cyber-attack in 2015. The list of victims also included customers of other insurance firms affiliated with Anthem.
Victims have the option of either using the money to pay for their credit monitoring or accepting the payout in cash. The total amount to be paid to each victim will not exceed $50. Despite the payout, Anthem continues to contend that the cyber-attack did not compromise medical or financial information of customers.
The $115 million settlement seems astronomical when compared to what companies in the UK are liable to pay following data breach incidents. The existing Data Protection Act mandates companies to pay fines not exceeding £500,000 for breaching privacy rules.
According to a PwC analysis, monetary fines imposed by the ICO on erring UK firms previously peaked at £2.3m in 2013 before coming down to £1.5m in 2014 and £2m in 2015. The ICO had imposed fines of only £541,000 on erring firms in 2011.
The Information Commissioner’s Office imposed financial penalties of £3.2m on 35 UK firms for breaching privacy rules last year. In comparison, fines of up to $250m were served on erring firms in the United States last year.
However, fines imposed on erring UK firms will rise astronomically once the General Data Protection Regulation comes into effect next year. Under the new law, companies will be required to pay either 4% of their annual turnover or €20 million, whichever will be higher.
‘Post-GDPR, the Information Commissioner’s Office will be looking for a data offender to make an example of. And with the stipulations in the laws, it will be highly likely that one of the larger companies will fall foul of it. If you think of a case like that of TalkTalk, the potential fines will run into hundreds of millions rather than tens of millions,’ says Sunetra Chakravarti, Editor at TEISS.
“Organisations can no longer see data breaches as an abstract tech or IT problem; boycotts and penalties are serious business risks and should be a board-level business issue. Make no mistake, there will be businesses that will never fully recover from such a fine if they don’t go out of business entirely. We will all know of the EU General Data Protection Regulation then,” said Rashmi Knowles, Field CTO at RSA.