The average value of fines issued by the Information Commissioner’s Office for failing to protect against data breaches has doubled to £146,000 in the year to September 30 2018, up from £73,000 the year before.

The total value of penalties imposed by the Information Commissioner’s Office (ICO) rose to £4.98 million last year*, up 24% from £4 million the year before.

The introduction of the General Data Protection Regulations (GDPR) is expected to result in higher fines for larger businesses over the medium term.

The ICO is likely to hold off on issuing large fines to SMEs, however, as GDPR fines are proportionate to the risk posed by a breach. The regulator has also said it will not be making early examples of businesses for minor infringements by issuing large fines.

Breaches of the GDPR, which came into effect on 25 May, could potentially lead to an organisation that has failed to protect the data becoming subject to much larger fines - of up to €20m or 4% of the organisation’s turnover. The maximum fine under previous UK legislation was £500,000.

The ICO recently issued the UK’s first GDPR enforcement notice against AggregateIQ, in relation to an incident that saw data of up to 87 million Facebook users accessed. The firm is appealing the fine.

Three of the largest fines issued by the ICO in the last year were against:

  • Equifax, which was fined the maximum £500,000 for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017
  • Carphone Warehouse, which was fined £400,000 for failing to adequately protect customer and employee data
  • The British and Foreign Bible Society, which promotes the availability of the Bible worldwide, was fined £100,000 following a cyber-attack that compromised personal data of 417,000 people

Richard Breavington, Partner at RPC, comments: “A doubling in the average size of a fine should serve as a wake-up call to businesses. However, political pressure is mounting.”

“Given that there seems to be no slowdown in the number of cyber-attacks today – businesses need to see how they can mitigate the risks to their customer when there is an attack.”

“For example, businesses should ensure that they take out cyber insurance policies so that they can bring in experts to contain the impact of an attack and limit the exfiltration of data.”

Insurance against data breaches is one of the fastest growing areas of the insurance industry. Data breach services such as RPC’s ReSecure can help to protect the data and reputation of companies, if they become the victim of a hack.

ReSecure provides companies with access to data breach management, technical forensic investigation, legal advice, notification, web and credit monitoring and public relations services.

The average value of a fine issued by the ICO doubled to £146,000 last year

The value of fines issued by the ICO last year increased by 24% to £4.98m