The cost of not protecting data
When the European Union’s (EU) General Data Protection Regulation (GDPR) was first proposed in 2012, it set off a great deal of speculation (and a fair amount of fearmongering) as to how the novel regulation would affect organisations. There were webinars and workshops to attend to gain a better understanding of and prepare for GDPR, and we in the insurance community all heard about that dark beast that would be lurking in the woods – the one that could destroy an organization that fell victim to and mishandled a data breach – ‘the Mega Fine’.
Since implementation in May 2018, where do we stand? The short answer is – it is still unclear. At Beazley, we recently studied the size of GDPR fines and the jurisdictions in which they were levied in 2019 and what we found is inconsistency across regulators. Fines have greatly varied in sizes and some data protection agencies (DPAs) are more aggressive than others.
In addition to the UK, GDPR action was taken in at least 15 countries last year: Belgium, Bulgaria, France, Germany, Greece, Hungary, Ireland, Italy, Lithuania, Netherlands, Norway, Poland, Romania, Spain and Sweden.
Of these countries, the UK can take credit for the biggest fines assessed. Over the summer, the Information Commissioner’s Office (ICO) proposed two massive fines – $229 million against British Airways and $124 million against Marriott Hotels in relation to security breaches. The actual amount to be paid by the two companies is pending final ICO notices, which were expected at the end of March, but have been further delayed to early June. It remains to be seen whether the current impact of Covid-19 on the travel industry might sway the ICO’s assessment of these fines.
At the high end of the range, the Austrian DPA imposed an administrative fine of $20 million on the company responsible for the postal service, Österreichische Post AG (ÖPAG), for violating the GDPR by processing personal data on the political views of affected data subjects.
In Germany, a fine of $16 million was issued against the Berlin-based residential property company Deutsche Wohnen SE for violations of the GDPR relating to the unnecessary collection and retention of personal data.
At the lower end are the Italian DPA fine of $1.1 million against Facebook over the Cambridge Analytica scandal, and a German DPA fine of $2.2 million against Facebook for underreporting complaints by data subjects. These penalties are more than “a slap on the wrist,” but they are minor when considering that Facebook has annual revenue in excess of $70 billion.
In addition to inconsistent penalties, we have witnessed differences in the approaches taken and investigation timeframes by the DPAs. As just one example in the UK, the ICO is focused on the cost of ransomware to the organization while in Ireland there is heightened interest in how ransomware could affect individuals. We have also seen regulators close the file on a data breach in a matter of days while other investigations have stretched out six months or more.
Thus, as we near two years with GDPR in place – when it comes to the cost of not protecting data – the jury is still out. Fines vary greatly as do actions by the DPAs. Our best advice to insureds is to have some sense of where the biggest risks lie in terms of GDPR compliance, as a significant proportion of fines are a result of non-compliance, large fines and active DPAs. Boards can no longer ignore the issue and organizations must take the necessary steps to understand the risk and implement proper oversight of their security procedures and protocols. No one wants to be a victim of “the Mega Fine.”
About the author:
Helen joined Beazley in April 2018 as an International Breach Response Manager. Helen is responsible for handling international breach incidents and overseeing breach management for policyholders outside the US and Canada who hold a Beazley Breach Response cyber policy. Helen also works closely with Beazley's underwriters in the development of new cyber breach offerings.