A data breach can be disastrous for charities and businesses, because of the loss of trust and goodwill that these incidents can engender. But they can be hugely costly as well, as a number of organisations discovered for themselves in 2019. That’s because 2019 was the year that the Information Commissioner’s Office (ICO) got teeth.
Before the advent of the General Data Protection Regulation (GDPR), the maximum fine the ICO could levy for a data breach was £500,000. Although a significant amount for any charity, this sum is a trifling amount for many large commercial organisations, especially when compared with the cost of improving security to protect customer data.
But following the introduction of the GDPR, the ICO can now issue fines of up to 4% of an organization’s turnover in the preceding financial year, so in some cases the fines can run into millions, tens of millions, or even hundreds of millions of pounds.
In the first half of 2019 more than 230 charities reported data breaches to the ICO, accounting for a little under 5% of all the data breaches reported, according to ICO figures.
The data breaches can be split into two broad categories: what the ICO calls “cyber incidents,” which involve cyber criminal activity, and “non cyber incidents” which are usually caused by general carelessness.
Many of the incidents fell into the latter category, including emailing data to the wrong recipient and the loss or theft of paper left in an insecure place. The more sinister “cyber incidents” include cases of charities falling victim to phishing attacks, cyber criminals gaining unauthorised access to computer systems, and data loss caused by malware.
Despite these 230 charity data breaches in the first half of 2019, and what is likely to be a similar number in the second half of the year, none of the charities affected were fined by the ICO according to its enforcement action notices web page. But the ICO can and does levy fines for data breaches, as the following cases make clear:
British Airways: £183 million fine
The biggest fine levied by the ICO to date is for an eyewatering £183.39 million, which it said it intended to impose on British Airways in July 2019 for a data breach in August and September 2018 – just three months after the GDPR came into effect – when about 500,000 customers’ personal data was exposed. This included names, addresses, credit card information and booking details. Some of these credit card details where later being sold in the “dark web” by Russian cyber criminals, according to a report by cyber threat intelligence company RiskIQ.
In fact British Airways got off relatively lightly in this case: the fine represents far less than 2% of British Airways’ turnover. If the ICO had levied the maximum 4% fine this could have run to £500 million.
Equifax Inc. £700 million fine
The credit reporting agency Equifax Inc. received an approximate $700 million fine (the exact amount has yet to be finalised) from the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau in the U.S. for a data breach in 2017 that resulted in more than 140 million people’s personal data being breached by cyber criminals.
What’s interesting about this case as that the ICO also issued a £500,000 fine to Equifax Ltd in the UK back in September 2017 for failing to protect the personal information of up to 15 million UK citizens during the 2017 cyber attack, even though the computer systems that were compromised were in the US. The fine was imposed by the ICO because the UK operation “failed to take appropriate steps to ensure its American parent Equifax Inc, which was processing the data on its behalf, was protecting the information,” according to the ICO.
The fact that the ICO did not fine any charities in 2019 should not be cause for complacency. That’s because the ICO has already shown that it is prepared to crack down on charities that have inadequate cyber security measures in place: in 2018 the British and Foreign Bible Society charity was fined £100,000 by the ICO for putting personal data at risk and potentially revealing the religious identity of donors after cyber criminals accessed over 400,000 of its supporters’ records.
What can charities do to minimise the likelihood of experiencing a data breach and incurring a potentially significant fine?
The most common form of cyber incidents stem from phishing attacks, so charities should make phishing awareness training a priority for all of their staff.
When it comes to “non cyber” incidents caused by carelessness there is no simple solution except to reinforce the importance of taking due care of customers’ personal data.
There are also many resources designed to help charities avoid falling foul of the GDPR, including guidelines on how to comply with the regulation, and an ICO self-assessment procedure and checklist aimed at smaller organisations which helps to evaluate any gaps in data protection processes. Tailored advice for charities is available in the form of a FAQ tackling data protection matters.
The information commission Elizabeth Denham underlines the importance of data security: “When you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Ultimately the message to digital leaders should be clear: taking adequate cyber security measures to protect customers’ personal data can be expensive, but failing to do so and incurring a fine can be more expensive still.