UK businesses could face up to £122bn in penalties for data breaches when new EU legislation comes into effect in 2018, the Payment Card Industry Security Standards Council (PCI SSC) has warned.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
According to a UK government 2015 information security breaches survey, 90% of large organisations and 74% of SMEs reported a security breach, leading to an estimated total of £1.4bn in regulatory fines.
In 2018, the European Union’s General Data Protection Regulation (GDPR) will introduce fines for groups of companies of to €20m or 4% of annual worldwide turnover, whichever is greater – far exceeding the current maximum of £500,000.
This means that if data breaches remain at 2015 levels, the fines paid to the European regulator could see a near 90-fold increase, from £1.4bn in 2015 to £122bn, the PCI SSC calculated, based on the maximum fine of 4% of global turnover.
For large UK organisations, this could see regulatory fines for data breaches soar to £70bn, more than a 130-fold increase, rising to an average of £11m per organisation. Regulatory fines for SMEs could see a 57-fold increase, rising to £52bn, averaging £13,000 per SME.
Regulatory fines are only part of the downside for companies, the PCI SSC said, with reputational damage, business disruption and revenue loss also having a significant impact on firms suffering a data breach.
The PCI SSC, which works in partnership with organisations to develop and enhance payment and data security standards, is urging firms to act now to prevent, detect and respond to cyber attacks that can lead to breaches of payment data and other personal data.
“The new EU legislation will be an absolute game-changer for both large organisations and SMEs as the regulator will be able to impose a stratospheric rise in penalties for security breaches, and it remains to be seen whether businesses facing these fines will be able to shoulder the costs,” said Jeremy King, international director at PCI SSC.
“Companies, both large and small, need to act now and start putting in place robust standards and procedures to counter the cyber security threat, or face the prospect of paying astronomical costs in regulatory fines and reputational harm to their brand.”
However, the PCI SSC calculations do not take into account the GDPR’s two-tier approach to sanctions which also allow for fines of up to €10m or 2% of global annual turnover, whichever is greater, for breaches considered less serious.
“The two-tier approach for fines simply reflects what EU policy-makers see as top issues versus medium concerns,” said Eduardo Ustaran, European head of privacy and cyber security at law firm Hogan Lovells.
“But in any event, the jump from the current level of fines is absolutely exponential. We are talking of moving from a few hundred thousand euros to potentially hundreds of millions.”
Key areas for companies to watch out for, said Ustaran, are the basic principles for processing, including conditions for consent, the data subjects’ rights and the conditions for lawful international data transfers. Large-scale risk to people’s privacy is likely to be a major factor in deciding who to fine and how much, he said.
“It is anybody’s guess whether the UK government will use a similar formula in the post-Brexit privacy legislation, but the UK information commissioner has certainly not been shy of issuing large fines,” said Ustaran.
In October 2016, the Information Commissioner’s Office (ICO) hit TalkTalk with a record £400,000 fine for the cyber attack in 2015 that exposed the personal details of more than 150,000 customers.
The new information commissioner, Elizabeth Denham, said the telecoms provider had failed to apply “the most basic cyber security measures”, leaving its database vulnerable to an SQL injection attack after failing to apply a fix for a software bug that had been available for more than three years.
In her first public speech since taking the role, Denham warned that although the ICO had powers to issue fines of up to £500,000, this could rise to 4% of a business’ global turnover in line with the GDPR.
She also warned that the ICO expected to see organisations taking responsibility for their actions, despite the pace of technological change, saying it is up to individual businesses to understand the risks they are creating for others, and to mitigate them.
Denham said it was “extremely likely” that the GDPR would be live before the UK left the EU. “The GDPR is already in force – it is just that member states are not obligated to apply it until 25 May 2018,” she said.
Denham said all UK companies that wanted to do business in the EU would have to comply with the GDPR. She said the major shift in the law was about giving consumers control over their data, which tied in with building trust and was also part of the ICO’s philosophy.
“In a global economy, we need consistency of law and standards,” she said. “The GDPR is a strong law and, once we are out of Europe, we will still need to be deemed adequate or essentially equivalent. When the UK leaves the EU, which is likely to be 2019 or later, a new data protection law will need to be in force.”
Denham said the ICO was discussing with ministers and senior officials in government what future UK data protection law should look like. “The aim is a progressive regulatory regime that stands up to scrutiny, that doesn’t leave the UK open to having rocks thrown at it by other regimes,” she said. “And that has consistency and adequacy with Europe.”