Data Wars: The ICO Strikes Back

[spacein_vader]

So hot on the heels of yesterdays decision to fine BA 1.5% of their turnover (£183m https://www.bbc.co.uk/news/business-48905907) today they've hit Marriott hotels for £99m https://www.bbc.co.uk/news/technology-48928163

Those of us "in the trade" have been expecting this for a while. Lots of cases have been investigated by ICO but all seem stalled at the final decision point. Our thinking was that ICO wanted to make a statement by making sure the first few announced were household names and for big fines. It shows the ICO is doing its job for the public and hopefully will make big organisations sit up and take note at board level.

More power to their elbow.

[Xlucine]

It's nice to see, but how many years will these take to work through the appeals courts?

[Saracen999]

More power to their elbow.

+1 on that.

It's nice to see, but how many years will these take to work through the appeals courts?

In one sense, it doesn't reallly matter. Though in others, it does.

A series of household names getting stuck with whopping fines should register with every other company as an "Oh sh ..... erm, shoot" moment. Conbine that with the Irish regulator challenging the "standard contractual clause" basis under which so many companies transfer European consumer's data into US jurisdiction and, if upheld, we may finally have some privacy protection measures with real teeth, and sharp ones at that.



Both send the same fundamental message ti companies .... regulators are gerting serious, and if they get hit with a data breach, big fines WILL follow unless those firms can demonstrate they took securing our data seriously and didn't, as is currently too often the case, just pay lip-service to security with fine-sounding PR but then allocate a budget that coukd be filled from petty cash.

Proper security regimes can be expensive and so many companies haven't taken it seriously. We need the penalties fir screwing up to WAY exceed the costs of doibg it properly and a series of "turnover-based" fines sends exactly that message.

So yeah, more power to their elbow indeed. Absolutely.

[Lanky123]

This does potentially open up a new revenue stream for criminals. Given the size of the fines how many companies would contemplate paying a hacker to keep things hush-hush and not sell on their data elsewhere? Of course you can't guarantee they'll keep to the deal, but if the hacker only charged 10% of the likely fine you'd receive? 5%? I don't know the going rate for hacked customer details on the dark web but ~£5m sounds like a pretty lucrative pay-off, particularly as you wouldn't have to go to the trouble of committing multiple credit card/identity frauds or selling the data on to other criminals.

So, all things considered, I'm pleased that companies will have to up their security game. But I'm a little wary of the potential consequences and hope this eventuality has been thought through. Possibly any attempt to hide a data breach which is then discovered would automatically result in the maximum 4% of turnover fine?

[spacein_vader]

It's nice to see, but how many years will these take to work through the appeals courts?

None. You can't appeal to a court, only to the regulator itself. Given in both the cases so far the data has definitely been breached you can't really argue you're not guilty, all you can do is try to get it reduced for good behaviour as it were. You have 30 days to lodge the appeal and I'd be surprised if it took longer than 3 months to get a result.

This does potentially open up a new revenue stream for criminals. Given the size of the fines how many companies would contemplate paying a hacker to keep things hush-hush and not sell on their data elsewhere? Of course you can't guarantee they'll keep to the deal, but if the hacker only charged 10% of the likely fine you'd receive? 5%? I don't know the going rate for hacked customer details on the dark web but ~£5m sounds like a pretty lucrative pay-off, particularly as you wouldn't have to go to the trouble of committing multiple credit card/identity frauds or selling the data on to other criminals.

So, all things considered, I'm pleased that companies will have to up their security game. But I'm a little wary of the potential consequences and hope this eventuality has been thought through. Possibly any attempt to hide a data breach which is then discovered would automatically result in the maximum 4% of turnover fine?

Under GDPR you must report any breach within 72 hours of discovering it, even if you don't know all the details by that point you tell them what you know and undertake to fill in the blanks later.

If you don't report within 72 hours you'd need to find a damned good reason why not, "paying the breachers some hush money" won't cut it on that score. The easiest way to get the maximum fine is obstruction of a breach investigation or obfuscation of the breach in the first place.

Organisations are already very wary of this, it's why BA disclosed their breach publicly within 24 hours whereas under the old scheme it could be months/years before places would grudgingly own up.

In the last year before GDPR it was averaging 3 weeks before an organisation reported to ICO, this year's figures aren't out yet but given the speed of the confessions in the major cases I'd be stunned if it's over that 72 hour limit.

[Ttaskmaster]

So, all things considered, I'm pleased that companies will have to up their security game. But I'm a little wary of the potential consequences and hope this eventuality has been thought through.

The more you get fined, the less money you have with which to fix customers' problems.
Whichever way you look at it, customers always pay the price and take the hits.

[spacein_vader]

The more you get fined, the less money you have with which to fix customers' problems.
Whichever way you look at it, customers always pay the price and take the hits.

For the organisations (not just companies, charities, public sector and others are all covered,) that get hit with a fine, sure. But the idea of the big scary fine is that you spend more money on improving data protection BEFORE you have a breach.

It's a lot easier (for example) for ICT to convince the board that they need to spend £10m on replacing insecure systems if the fine is going to be £100m+.

[Ttaskmaster]

It's a lot easier (for example) for ICT to convince the board that they need to spend £10m on replacing insecure systems if the fine is going to be £100m+.

For certain companies, though, the record-breaking £126m fine (more than 50% of profit and about 16% of turnover) is still far cheaper than the amount required to resolve the issues, and fines of that level don't help to resolve anything.

[spacein_vader]

For certain companies, though, the record-breaking £126m fine (more than 50% of profit and about 16% of turnover) is still far cheaper than the amount required to resolve the issues, and fines of that level don't help to resolve anything.

Are there places out there for whom their data issues would cost more than 4% of their annual turnover EVERY YEAR? The fines can roll on, if you don't fix the problem its another 4% next year, and the year after, and so on till you either fix it or go bust. Fixing and going bust have the same effect, you no longer have the data and hopefully your customers have now moved by someone who does take it seriously.

[Ttaskmaster]

Are there places out there for whom their data issues would cost more than 4% of their annual turnover EVERY YEAR?

Potentially, yes... and I was working on the basis of 10%, since that's what regulators seem to like best.

Fixing and going bust have the same effect, you no longer have the data and hopefully your customers have now moved by someone who does take it seriously.

Our customers have no choice who they're with, unless they move to the other end of the country.

[spacein_vader]

Potentially, yes... and I was working on the basis of 10%, since that's what regulators seem to like best.


Our customers have no choice who they're with, unless they move to the other end of the country.

You don't have to worry about 10%, it's capped at 4. I'm assuming you either work for government or a utility but I still struggle to believe that they have systems so insecure and so expensive to either mitigate or replace that the fine is the cheaper option.

[Ttaskmaster]

You don't have to worry about 10%, it's capped at 4.

"We can fine companies 10% of their turnover for a breach of licence or legal duty".
https://www.ofwat.gov.uk/regulated-c...ns-and-powers/

Regulators of other industries say similar things, so I presumed the same was true of all regulators.
A quick Goggle suggests 4% or 20mil, whichever is higher.... but worth noting that if the prosecution goes to court, the court can issue it's own fine, which is limited to "Whatever the hell we like" and why our industry is now seeing record levels of penalty.

I'm assuming you either work for government or a utility but I still struggle to believe that they have systems so insecure and so expensive to either mitigate or replace that the fine is the cheaper option.

Well, the systems are probably quite cheap to replace... but firstly, we'll pay corporate rates. An encrypted flash drive costing £22 at the local PC World will cost us £56 through the supplier we are contractually bound to use. Simple installations, password resets and other things that I could do myself in 30 seconds, if I only had Admin rights on my own machine, will instead cost hundreds and take days as it gets processed through the various approval procedures.

A little while after I'd upgraded my home PC to Win10, I heard the exciting news that my work PC was going to be upgraded.
"Yes indeed, Comrade Tasky, we have stepped up our game to be at the forefront of cutting edge technology. Therefore, we are exceedingly excited to announce that, over this very weekend, your cacky HP desktop machinamabob will be completely upgraded to..... Windows 7!!"

Besides, 'cheaper to pay the fine' is now an ingrained mentality in our industry.... about which your assumption is correct. Call me when your sewers flood or your train derails.

[Saracen999]

"We can fine companies 10% of their turnover for a breach of licence or legal duty".
https://www.ofwat.gov.uk/regulated-c...ns-and-powers/

Regulators of other industries say similar things, so I presumed the same was true of all regulators.
A quick Goggle suggests 4% or 20mil, whichever is higher.... but worth noting that if the prosecution goes to court, the court can issue it's own fine, which is limited to "Whatever the hell we like" and why our industry is now seeing record levels of penalty.

Those higher rates apply to other regulators for breach of licence, but the ICO fines fir GDPR are, at a max, £29m or 4% of turnover, which is the higher.

ICO

[spacein_vader]

Those higher rates apply to other regulators for breach of licence, but the ICO fines fir GDPR are, at a max, £29m or 4% of turnover, which is the higher.

ICO

It's 4% or €20m, or whatever the equivalent is in sterling. So they'd best pay it before Brexit or it could be a lot more £ than currently.

[Ttaskmaster]

Yeah. I know. I did done and Goggle it....

[Saracen999]

It's 4% or €20m, or whatever the equivalent is in sterling. So they'd best pay it before Brexit or it could be a lot more £ than currently.

Yeah, sorry .... typo. £20m

And surely, if Br .... that thing .... is the disaster remainers predict, the £ will devalue, and US companies will get more £ for their $, and so it'll cost less, not more.

If.

But do we really wanto to go there? It's been so quiet recently.