Page 1 of 2 12 LastLast
Results 1 to 16 of 18

Thread: Data Wars: The ICO Strikes Back

  1. #1
    Senior Member spacein_vader's Avatar
    Join Date
    Sep 2014
    Location
    Darkest Northamptonshire
    Posts
    1,243
    Thanks
    69
    Thanked
    296 times in 196 posts
    • spacein_vader's system
      • Motherboard:
      • Asus B85M-G
      • CPU:
      • i5 4460 3.2GHz
      • Memory:
      • 4x4GB Crucial DDR3 1600
      • Storage:
      • 128GB SSD, 256GB SSD
      • Graphics card(s):
      • Asus RX-480 Dual OC 4GB
      • PSU:
      • Corsair HX 520W modular
      • Case:
      • Antec Mini P180
      • Operating System:
      • Windows 10 Pro
      • Monitor(s):
      • BenQ GW2765, Dell Ultrasharp U2412
      • Internet:
      • Origin Fibre Max

    Data Wars: The ICO Strikes Back

    So hot on the heels of yesterdays decision to fine BA 1.5% of their turnover (£183m https://www.bbc.co.uk/news/business-48905907) today they've hit Marriott hotels for £99m https://www.bbc.co.uk/news/technology-48928163

    Those of us "in the trade" have been expecting this for a while. Lots of cases have been investigated by ICO but all seem stalled at the final decision point. Our thinking was that ICO wanted to make a statement by making sure the first few announced were household names and for big fines. It shows the ICO is doing its job for the public and hopefully will make big organisations sit up and take note at board level.

    More power to their elbow.

  2. #2
    Senior Member Xlucine's Avatar
    Join Date
    May 2014
    Posts
    1,497
    Thanks
    218
    Thanked
    109 times in 93 posts
    • Xlucine's system
      • Motherboard:
      • Asus TUF B450M-plus
      • CPU:
      • R3 1200 @ 3.6 GHz
      • Memory:
      • 16GB @ 3 GHz
      • Storage:
      • Crucial MX500 1TB, Crucial MX100 512GB, 2TB hard disk
      • Graphics card(s):
      • EVGA 980ti
      • PSU:
      • Seasonic S12G-550
      • Case:
      • Silverstone TJ08-E
      • Operating System:
      • W10 pro
      • Monitor(s):
      • Viewsonic vx3211-2k-mhd, Dell P2414H
      • Internet:
      • Plusnet 70 Mb/s

    Re: Data Wars: The ICO Strikes Back

    It's nice to see, but how many years will these take to work through the appeals courts?

  3. #3
    Senior Member
    Join Date
    Aug 2016
    Posts
    735
    Thanks
    99
    Thanked
    160 times in 119 posts

    Re: Data Wars: The ICO Strikes Back

    Quote Originally Posted by spacein_vader
    More power to their elbow.
    +1 on that.

    Quote Originally Posted by Xlucine View Post
    It's nice to see, but how many years will these take to work through the appeals courts?
    In one sense, it doesn't reallly matter. Though in others, it does.

    A series of household names getting stuck with whopping fines should register with every other company as an "Oh sh ..... erm, shoot" moment. Conbine that with the Irish regulator challenging the "standard contractual clause" basis under which so many companies transfer European consumer's data into US jurisdiction and, if upheld, we may finally have some privacy protection measures with real teeth, and sharp ones at that.



    Both send the same fundamental message ti companies .... regulators are gerting serious, and if they get hit with a data breach, big fines WILL follow unless those firms can demonstrate they took securing our data seriously and didn't, as is currently too often the case, just pay lip-service to security with fine-sounding PR but then allocate a budget that coukd be filled from petty cash.

    Proper security regimes can be expensive and so many companies haven't taken it seriously. We need the penalties fir screwing up to WAY exceed the costs of doibg it properly and a series of "turnover-based" fines sends exactly that message.

    So yeah, more power to their elbow indeed. Absolutely.

  4. Received thanks from:

    MaddAussie (10-07-2019)

  5. #4
    Senior Member Lanky123's Avatar
    Join Date
    Jul 2007
    Location
    Oxford
    Posts
    905
    Thanks
    89
    Thanked
    145 times in 97 posts
    • Lanky123's system
      • Motherboard:
      • Gigabyte GA-H81M-D2V
      • CPU:
      • Core i5 4570
      • Memory:
      • 2 x 4GB Vengeance LP
      • Storage:
      • 250GB Samsung 840 EVO SSD + 2+4TB HDD + 3TB Synology DS216SE
      • Graphics card(s):
      • MSI Radeon R9 270X HAWK
      • PSU:
      • Silverstone Strider 400W
      • Case:
      • Silverstone Sugo SG02B-F
      • Operating System:
      • Windows 8.1 / Ubuntu 16.04
      • Monitor(s):
      • ElectriQ 32" 4k IPS + Dell 22" U2212HM
      • Internet:
      • Virgin 60Mbit/s

    Re: Data Wars: The ICO Strikes Back

    This does potentially open up a new revenue stream for criminals. Given the size of the fines how many companies would contemplate paying a hacker to keep things hush-hush and not sell on their data elsewhere? Of course you can't guarantee they'll keep to the deal, but if the hacker only charged 10% of the likely fine you'd receive? 5%? I don't know the going rate for hacked customer details on the dark web but ~£5m sounds like a pretty lucrative pay-off, particularly as you wouldn't have to go to the trouble of committing multiple credit card/identity frauds or selling the data on to other criminals.

    So, all things considered, I'm pleased that companies will have to up their security game. But I'm a little wary of the potential consequences and hope this eventuality has been thought through. Possibly any attempt to hide a data breach which is then discovered would automatically result in the maximum 4% of turnover fine?

  6. #5
    Senior Member spacein_vader's Avatar
    Join Date
    Sep 2014
    Location
    Darkest Northamptonshire
    Posts
    1,243
    Thanks
    69
    Thanked
    296 times in 196 posts
    • spacein_vader's system
      • Motherboard:
      • Asus B85M-G
      • CPU:
      • i5 4460 3.2GHz
      • Memory:
      • 4x4GB Crucial DDR3 1600
      • Storage:
      • 128GB SSD, 256GB SSD
      • Graphics card(s):
      • Asus RX-480 Dual OC 4GB
      • PSU:
      • Corsair HX 520W modular
      • Case:
      • Antec Mini P180
      • Operating System:
      • Windows 10 Pro
      • Monitor(s):
      • BenQ GW2765, Dell Ultrasharp U2412
      • Internet:
      • Origin Fibre Max

    Re: Data Wars: The ICO Strikes Back

    Quote Originally Posted by Xlucine View Post
    It's nice to see, but how many years will these take to work through the appeals courts?
    None. You can't appeal to a court, only to the regulator itself. Given in both the cases so far the data has definitely been breached you can't really argue you're not guilty, all you can do is try to get it reduced for good behaviour as it were. You have 30 days to lodge the appeal and I'd be surprised if it took longer than 3 months to get a result.

    Quote Originally Posted by Lanky123 View Post
    This does potentially open up a new revenue stream for criminals. Given the size of the fines how many companies would contemplate paying a hacker to keep things hush-hush and not sell on their data elsewhere? Of course you can't guarantee they'll keep to the deal, but if the hacker only charged 10% of the likely fine you'd receive? 5%? I don't know the going rate for hacked customer details on the dark web but ~£5m sounds like a pretty lucrative pay-off, particularly as you wouldn't have to go to the trouble of committing multiple credit card/identity frauds or selling the data on to other criminals.

    So, all things considered, I'm pleased that companies will have to up their security game. But I'm a little wary of the potential consequences and hope this eventuality has been thought through. Possibly any attempt to hide a data breach which is then discovered would automatically result in the maximum 4% of turnover fine?
    Under GDPR you must report any breach within 72 hours of discovering it, even if you don't know all the details by that point you tell them what you know and undertake to fill in the blanks later.

    If you don't report within 72 hours you'd need to find a damned good reason why not, "paying the breachers some hush money" won't cut it on that score. The easiest way to get the maximum fine is obstruction of a breach investigation or obfuscation of the breach in the first place.

    Organisations are already very wary of this, it's why BA disclosed their breach publicly within 24 hours whereas under the old scheme it could be months/years before places would grudgingly own up.

    In the last year before GDPR it was averaging 3 weeks before an organisation reported to ICO, this year's figures aren't out yet but given the speed of the confessions in the major cases I'd be stunned if it's over that 72 hour limit.

  7. Received thanks from:

    Lanky123 (10-07-2019),MLyons (10-07-2019),Saracen999 (10-07-2019),Xlucine (12-07-2019)

  8. #6
    RGB Champion Ttaskmaster's Avatar
    Join Date
    Nov 2013
    Location
    Reading, UK
    Posts
    5,087
    Thanks
    194
    Thanked
    542 times in 455 posts
    • Ttaskmaster's system
      • Motherboard:
      • Asus X99-PRO
      • CPU:
      • i7 5960X o/c to 4.summat
      • Memory:
      • 16GB Corsair DDR4 somethingorother
      • Storage:
      • Samsung Evo 120GB and Seagate Baracuda 2TB
      • Graphics card(s):
      • Gigabyte G1 GTX980Ti
      • PSU:
      • EVGA Supernova G2 1000W
      • Case:
      • Phankecks Enthoo Luxe perspex window
      • Operating System:
      • Win10 64 Home
      • Monitor(s):
      • Acer Predator XB270HU 1440 IPS GSync
      • Internet:
      • BT 0.7Mbps 'In The Sticks' version

    Re: Data Wars: The ICO Strikes Back

    Quote Originally Posted by Lanky123 View Post
    So, all things considered, I'm pleased that companies will have to up their security game. But I'm a little wary of the potential consequences and hope this eventuality has been thought through.
    The more you get fined, the less money you have with which to fix customers' problems.
    Whichever way you look at it, customers always pay the price and take the hits.
    _______________________________________________________________________

    Quote Originally Posted by PC-LAD View Post
    Tasky is right

  9. #7
    Senior Member spacein_vader's Avatar
    Join Date
    Sep 2014
    Location
    Darkest Northamptonshire
    Posts
    1,243
    Thanks
    69
    Thanked
    296 times in 196 posts
    • spacein_vader's system
      • Motherboard:
      • Asus B85M-G
      • CPU:
      • i5 4460 3.2GHz
      • Memory:
      • 4x4GB Crucial DDR3 1600
      • Storage:
      • 128GB SSD, 256GB SSD
      • Graphics card(s):
      • Asus RX-480 Dual OC 4GB
      • PSU:
      • Corsair HX 520W modular
      • Case:
      • Antec Mini P180
      • Operating System:
      • Windows 10 Pro
      • Monitor(s):
      • BenQ GW2765, Dell Ultrasharp U2412
      • Internet:
      • Origin Fibre Max

    Re: Data Wars: The ICO Strikes Back

    Quote Originally Posted by Ttaskmaster View Post
    The more you get fined, the less money you have with which to fix customers' problems.
    Whichever way you look at it, customers always pay the price and take the hits.
    For the organisations (not just companies, charities, public sector and others are all covered,) that get hit with a fine, sure. But the idea of the big scary fine is that you spend more money on improving data protection BEFORE you have a breach.

    It's a lot easier (for example) for ICT to convince the board that they need to spend £10m on replacing insecure systems if the fine is going to be £100m+.

  10. #8
    RGB Champion Ttaskmaster's Avatar
    Join Date
    Nov 2013
    Location
    Reading, UK
    Posts
    5,087
    Thanks
    194
    Thanked
    542 times in 455 posts
    • Ttaskmaster's system
      • Motherboard:
      • Asus X99-PRO
      • CPU:
      • i7 5960X o/c to 4.summat
      • Memory:
      • 16GB Corsair DDR4 somethingorother
      • Storage:
      • Samsung Evo 120GB and Seagate Baracuda 2TB
      • Graphics card(s):
      • Gigabyte G1 GTX980Ti
      • PSU:
      • EVGA Supernova G2 1000W
      • Case:
      • Phankecks Enthoo Luxe perspex window
      • Operating System:
      • Win10 64 Home
      • Monitor(s):
      • Acer Predator XB270HU 1440 IPS GSync
      • Internet:
      • BT 0.7Mbps 'In The Sticks' version

    Re: Data Wars: The ICO Strikes Back

    Quote Originally Posted by spacein_vader View Post
    It's a lot easier (for example) for ICT to convince the board that they need to spend £10m on replacing insecure systems if the fine is going to be £100m+.
    For certain companies, though, the record-breaking £126m fine (more than 50% of profit and about 16% of turnover) is still far cheaper than the amount required to resolve the issues, and fines of that level don't help to resolve anything.
    _______________________________________________________________________

    Quote Originally Posted by PC-LAD View Post
    Tasky is right

  11. #9
    Senior Member spacein_vader's Avatar
    Join Date
    Sep 2014
    Location
    Darkest Northamptonshire
    Posts
    1,243
    Thanks
    69
    Thanked
    296 times in 196 posts
    • spacein_vader's system
      • Motherboard:
      • Asus B85M-G
      • CPU:
      • i5 4460 3.2GHz
      • Memory:
      • 4x4GB Crucial DDR3 1600
      • Storage:
      • 128GB SSD, 256GB SSD
      • Graphics card(s):
      • Asus RX-480 Dual OC 4GB
      • PSU:
      • Corsair HX 520W modular
      • Case:
      • Antec Mini P180
      • Operating System:
      • Windows 10 Pro
      • Monitor(s):
      • BenQ GW2765, Dell Ultrasharp U2412
      • Internet:
      • Origin Fibre Max

    Re: Data Wars: The ICO Strikes Back

    Quote Originally Posted by Ttaskmaster View Post
    For certain companies, though, the record-breaking £126m fine (more than 50% of profit and about 16% of turnover) is still far cheaper than the amount required to resolve the issues, and fines of that level don't help to resolve anything.
    Are there places out there for whom their data issues would cost more than 4% of their annual turnover EVERY YEAR? The fines can roll on, if you don't fix the problem its another 4% next year, and the year after, and so on till you either fix it or go bust. Fixing and going bust have the same effect, you no longer have the data and hopefully your customers have now moved by someone who does take it seriously.

  12. #10
    RGB Champion Ttaskmaster's Avatar
    Join Date
    Nov 2013
    Location
    Reading, UK
    Posts
    5,087
    Thanks
    194
    Thanked
    542 times in 455 posts
    • Ttaskmaster's system
      • Motherboard:
      • Asus X99-PRO
      • CPU:
      • i7 5960X o/c to 4.summat
      • Memory:
      • 16GB Corsair DDR4 somethingorother
      • Storage:
      • Samsung Evo 120GB and Seagate Baracuda 2TB
      • Graphics card(s):
      • Gigabyte G1 GTX980Ti
      • PSU:
      • EVGA Supernova G2 1000W
      • Case:
      • Phankecks Enthoo Luxe perspex window
      • Operating System:
      • Win10 64 Home
      • Monitor(s):
      • Acer Predator XB270HU 1440 IPS GSync
      • Internet:
      • BT 0.7Mbps 'In The Sticks' version

    Re: Data Wars: The ICO Strikes Back

    Quote Originally Posted by spacein_vader View Post
    Are there places out there for whom their data issues would cost more than 4% of their annual turnover EVERY YEAR?
    Potentially, yes... and I was working on the basis of 10%, since that's what regulators seem to like best.

    Quote Originally Posted by spacein_vader View Post
    Fixing and going bust have the same effect, you no longer have the data and hopefully your customers have now moved by someone who does take it seriously.
    Our customers have no choice who they're with, unless they move to the other end of the country.
    _______________________________________________________________________

    Quote Originally Posted by PC-LAD View Post
    Tasky is right

  13. #11
    Senior Member spacein_vader's Avatar
    Join Date
    Sep 2014
    Location
    Darkest Northamptonshire
    Posts
    1,243
    Thanks
    69
    Thanked
    296 times in 196 posts
    • spacein_vader's system
      • Motherboard:
      • Asus B85M-G
      • CPU:
      • i5 4460 3.2GHz
      • Memory:
      • 4x4GB Crucial DDR3 1600
      • Storage:
      • 128GB SSD, 256GB SSD
      • Graphics card(s):
      • Asus RX-480 Dual OC 4GB
      • PSU:
      • Corsair HX 520W modular
      • Case:
      • Antec Mini P180
      • Operating System:
      • Windows 10 Pro
      • Monitor(s):
      • BenQ GW2765, Dell Ultrasharp U2412
      • Internet:
      • Origin Fibre Max

    Re: Data Wars: The ICO Strikes Back

    Quote Originally Posted by Ttaskmaster View Post
    Potentially, yes... and I was working on the basis of 10%, since that's what regulators seem to like best.


    Our customers have no choice who they're with, unless they move to the other end of the country.
    You don't have to worry about 10%, it's capped at 4. I'm assuming you either work for government or a utility but I still struggle to believe that they have systems so insecure and so expensive to either mitigate or replace that the fine is the cheaper option.

  14. #12
    RGB Champion Ttaskmaster's Avatar
    Join Date
    Nov 2013
    Location
    Reading, UK
    Posts
    5,087
    Thanks
    194
    Thanked
    542 times in 455 posts
    • Ttaskmaster's system
      • Motherboard:
      • Asus X99-PRO
      • CPU:
      • i7 5960X o/c to 4.summat
      • Memory:
      • 16GB Corsair DDR4 somethingorother
      • Storage:
      • Samsung Evo 120GB and Seagate Baracuda 2TB
      • Graphics card(s):
      • Gigabyte G1 GTX980Ti
      • PSU:
      • EVGA Supernova G2 1000W
      • Case:
      • Phankecks Enthoo Luxe perspex window
      • Operating System:
      • Win10 64 Home
      • Monitor(s):
      • Acer Predator XB270HU 1440 IPS GSync
      • Internet:
      • BT 0.7Mbps 'In The Sticks' version

    Re: Data Wars: The ICO Strikes Back

    Quote Originally Posted by spacein_vader View Post
    You don't have to worry about 10%, it's capped at 4.
    "We can fine companies 10% of their turnover for a breach of licence or legal duty".
    https://www.ofwat.gov.uk/regulated-c...ns-and-powers/

    Regulators of other industries say similar things, so I presumed the same was true of all regulators.
    A quick Goggle suggests 4% or 20mil, whichever is higher.... but worth noting that if the prosecution goes to court, the court can issue it's own fine, which is limited to "Whatever the hell we like" and why our industry is now seeing record levels of penalty.

    Quote Originally Posted by spacein_vader View Post
    I'm assuming you either work for government or a utility but I still struggle to believe that they have systems so insecure and so expensive to either mitigate or replace that the fine is the cheaper option.
    Well, the systems are probably quite cheap to replace... but firstly, we'll pay corporate rates. An encrypted flash drive costing £22 at the local PC World will cost us £56 through the supplier we are contractually bound to use. Simple installations, password resets and other things that I could do myself in 30 seconds, if I only had Admin rights on my own machine, will instead cost hundreds and take days as it gets processed through the various approval procedures.

    A little while after I'd upgraded my home PC to Win10, I heard the exciting news that my work PC was going to be upgraded.
    "Yes indeed, Comrade Tasky, we have stepped up our game to be at the forefront of cutting edge technology. Therefore, we are exceedingly excited to announce that, over this very weekend, your cacky HP desktop machinamabob will be completely upgraded to..... Windows 7!!"

    Besides, 'cheaper to pay the fine' is now an ingrained mentality in our industry.... about which your assumption is correct. Call me when your sewers flood or your train derails.
    _______________________________________________________________________

    Quote Originally Posted by PC-LAD View Post
    Tasky is right

  15. #13
    Senior Member
    Join Date
    Aug 2016
    Posts
    735
    Thanks
    99
    Thanked
    160 times in 119 posts

    Re: Data Wars: The ICO Strikes Back

    Quote Originally Posted by Ttaskmaster View Post
    "We can fine companies 10% of their turnover for a breach of licence or legal duty".
    https://www.ofwat.gov.uk/regulated-c...ns-and-powers/

    Regulators of other industries say similar things, so I presumed the same was true of all regulators.
    A quick Goggle suggests 4% or 20mil, whichever is higher.... but worth noting that if the prosecution goes to court, the court can issue it's own fine, which is limited to "Whatever the hell we like" and why our industry is now seeing record levels of penalty.
    Those higher rates apply to other regulators for breach of licence, but the ICO fines fir GDPR are, at a max, £29m or 4% of turnover, which is the higher.

    ICO

  16. #14
    Senior Member spacein_vader's Avatar
    Join Date
    Sep 2014
    Location
    Darkest Northamptonshire
    Posts
    1,243
    Thanks
    69
    Thanked
    296 times in 196 posts
    • spacein_vader's system
      • Motherboard:
      • Asus B85M-G
      • CPU:
      • i5 4460 3.2GHz
      • Memory:
      • 4x4GB Crucial DDR3 1600
      • Storage:
      • 128GB SSD, 256GB SSD
      • Graphics card(s):
      • Asus RX-480 Dual OC 4GB
      • PSU:
      • Corsair HX 520W modular
      • Case:
      • Antec Mini P180
      • Operating System:
      • Windows 10 Pro
      • Monitor(s):
      • BenQ GW2765, Dell Ultrasharp U2412
      • Internet:
      • Origin Fibre Max

    Re: Data Wars: The ICO Strikes Back

    Quote Originally Posted by Saracen999 View Post
    Those higher rates apply to other regulators for breach of licence, but the ICO fines fir GDPR are, at a max, £29m or 4% of turnover, which is the higher.

    ICO
    It's 4% or €20m, or whatever the equivalent is in sterling. So they'd best pay it before Brexit or it could be a lot more £ than currently.

  17. #15
    RGB Champion Ttaskmaster's Avatar
    Join Date
    Nov 2013
    Location
    Reading, UK
    Posts
    5,087
    Thanks
    194
    Thanked
    542 times in 455 posts
    • Ttaskmaster's system
      • Motherboard:
      • Asus X99-PRO
      • CPU:
      • i7 5960X o/c to 4.summat
      • Memory:
      • 16GB Corsair DDR4 somethingorother
      • Storage:
      • Samsung Evo 120GB and Seagate Baracuda 2TB
      • Graphics card(s):
      • Gigabyte G1 GTX980Ti
      • PSU:
      • EVGA Supernova G2 1000W
      • Case:
      • Phankecks Enthoo Luxe perspex window
      • Operating System:
      • Win10 64 Home
      • Monitor(s):
      • Acer Predator XB270HU 1440 IPS GSync
      • Internet:
      • BT 0.7Mbps 'In The Sticks' version

    Re: Data Wars: The ICO Strikes Back

    Yeah. I know. I did done and Goggle it....
    _______________________________________________________________________

    Quote Originally Posted by PC-LAD View Post
    Tasky is right

  18. #16
    Senior Member
    Join Date
    Aug 2016
    Posts
    735
    Thanks
    99
    Thanked
    160 times in 119 posts

    Re: Data Wars: The ICO Strikes Back

    Quote Originally Posted by spacein_vader View Post
    It's 4% or €20m, or whatever the equivalent is in sterling. So they'd best pay it before Brexit or it could be a lot more £ than currently.
    Yeah, sorry .... typo. £20m

    And surely, if Br .... that thing .... is the disaster remainers predict, the £ will devalue, and US companies will get more £ for their $, and so it'll cost less, not more.

    If.

    But do we really wanto to go there? It's been so quiet recently.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •