The evidence points to Data Breaches being taken more seriously year on year. There has been a yearly increase in fines revenue from Data Protection Act prosecutions.
- 2010: 2 fines totalling £160K
- 2011: 7 fines totalling £541K
- 2012: 17 fines totalling £2,1M
- 2013: £1,5M
- 2014: £815K at September, final figure not yet available
These are just the Data Protection fines, where financial organisations are involved, the FCA imposes further more substantial fines.
Here’s the main sources of those prosecutions:
It may be surprising to see that the Government is most successful at fining itself for breaches:
What’s interesting about the figures is that although most of the breaches are internally generated, the sizeable fines are related to cyber breaches. Reading through the ICO and FCA enforcement pages:
shows that discounts are applied to fines where organisations have taken steps to avoid breaches. The fines are currently in the range of £300K to £150M and the FCA enforcements site shows Directors disbarred from office.
Reading through the case notices, we can see that a first breach results in an ‘undertaking’ where the organisation are given a series of remedial targets to meet, typically within three months. If not all targets are met then a ‘Final Notice of Decision’ is issued which confirms the monetary fine to be paid.
Subsequent breaches are met with much stronger fines, along with recommendations of management change and the eventual disbarring of Directors.
Its clear to see that the regulators are taking into account the strength of precautions that organisations are making. On the other hand there are EU proposals for fines up to 5% of global turnover. Well run organisations with good Information Security Policies can expect 30% discount on fines, however this would still be 3.5% of global turnover!
In Europe there is a culture of Employer/Employee trust, but when something goes wrong the Director should be able to point to who did what where and when.
So the trend is towards higher fines more accountability. Whilst the organisation is held to account by the Data Protection Act, the Director is held to account by the FCA. The FCA will take into account the Director’s fitness to continue duties.
Osirium was designed to prevent data breaches arising from the misuse of Privileged Accounts, its proven to help regulators understand that an organisations has taken proper measures with compliance reports and full analytics.