The Information Commissioner’s Office issued monetary fines in only 29 cases out of 11,468 data breach cases it investigated between May 2018 and March this year, indicating that only around one in every 395 investigations resulted in monetary fines.
In the period, the ICO also issued enforcement notices in 13 incidents of data breaches it investigated. If organisations are unable to comply with enforcement notices issued by the ICO, then they will be liable to be issued monetary fines upon the expiration of such notices.
ICO is empowered to issue monetary fines to erring organisations under the 1998 Data Protection Act for data breach offences committed prior to July 2018 and for data breaches committed post-July last year, the new Data Protection Act framed around GDPR comes into application.
While the 1998 Data Protection Act authorised the ICO to issue maximum fines of £500,000 for data protection offences, the watchdog can issue fines of up to €20 million or 4% of annual global turnover of erring organisations under the new Data Protection Act.
In September last year, the ICO issued its first enforcement notice under GDPR to data analytics firm AggregateIQ to direct the firm to stop processing retained data belonging to UK citizens following the Cambridge Analytica scandal.
Monetary fines issued by ICO not enough
Even though the first fine under the new Data Protection Act is yet to be issued, the ICO issued maximum monetary fines of £500,000 under the older DPA on two occasions between May last year and March this year. In July last year, the watchdog fined Facebook £500,000 for failing to prevent data analytics firms (Cambridge Analytica) from harvesting personal details of millions of users.
It also fined Equifax £500,000 in September for failing to safeguard personal details of up to 15 million UK citizens which were compromised after the company suffered a massive data breach that compromised personal details of up to 146 million people globally. Compromised information included names, dates of birth, addresses, passwords, driving license and financial details of millions of UK citizens.
In November last year, the ICO also fined ride-hailing service Uber £385,000 for failing to safeguard the personal information of around 2.7 million UK customers, including 82,000 drivers. It also found Uber guilty of paying $100,000 to hackers to destroy the data they had downloaded and for hiding the fact from affected customers.
Despite such fines being issued to organisations guilty of not being able to prevent large-scale data breaches, the fact that only around one in every four hundred data breach investigations resulted in a fine suggests that the ICO may not be acting fast enough to convince organisations that data protection offenses will not go unpunished.
“With data breaches being at an all-time high, organisations need an extra push to get their ducks in a row. The lack of monetary penalties is only going to discourage those companies that are making all the internal changes required to comply with GDPR laws while others are having their cake and eating it too,” said Jake Moore, Cyber Security specialist at ESET to Business Cloud.
“The appropriate level of enforcement is required to make the needle move; therefore the ICO must practice what it preaches,” he added.
Majority of breach reports are inaccurate and heavily delayed
While it is certainly concerning to note that monetary fines issued by ICO are not as per the expectations of security experts, it is also true that the ICO’s inability to act against data protection offenses is because of businesses’ inability to provide critical details to the watchdog and within mandated timelines.
In March, a Freedom of Information request made by security firm Redscan revealed that while more than 9 out of 10 companies (93%) did not specify the impact of the breach, or did not know the impact at the time it was reported, it also took businesses an average of 21 days to report breach incidents to the ICO after they were identified.
Information obtained by Redscan also revealed that less than a quarter of businesses complied with the requirement of reporting breaches within 72 hours of discovery. Out of 182 breach reports, only 45 were reported within 72 hours of discovery and one organisation too as long as 142 days to report a breach to the ICO. As many as 21% of organisations failed to report breach incident dates to the ICO.
“Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses. Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter,” said Mark Nicholls, Redscan director of cybersecurity.
“Without the appropriate controls and procedures in place, identifying a breach can be like finding a needle in a haystack. Attacks are getting more and more sophisticated and, in many cases, companies don’t even know they’ve been hit.
“It’s incredibly optimistic to think that businesses are better at preventing and detecting data breaches since the introduction of the GDPR. Despite the prospect of a larger penalty, many are still struggling to understand and implement the solutions they need to achieve compliance,” he added.