Over 160,000 data-breach notifications have been made to authorities in the 18 months since Europe’s new digital privacy regulation came into force, and the number of breaches and other security incidents being reported is on the rise.
Analysis by law firm DLA Piper found that after the General Data Protection Regulation (GDPR) came into force on 25 May 2018, the first eight months saw an average of 247 breach notifications per day. In the time since, that has risen to an average of 278 notifications a day.
“GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations,” said Ross McKean, partner at DLA Piper, specialising in cyber and data protection.
The GDPR Data Breach Survey also calculates the total cost of GDPR-related fines paid so far to be €114m ( $126m/£97m). The largest fine paid so far was one of €50m issued by the French data protection authority, CNIL, to Google over infringements around transparency and consent.
The UK Information Commissioner’s Office has issued two larger fines relating to data-protection infringements, but currently neither of the organisations involved have come to a final agreement over the payments.
In July last year, British Airways was issued with a £183m ($238m/€213m) fine following cyberattacks against its systems that resulted in personal details of around 500,000 customers being stolen by hackers.
Following what was described as an “extensive investigation”, the ICO concluded that information was compromised by “poor security arrangements” at British Airways. At the time, the airline made it clear it wasn’t happy with the fine, stating it was “surprised and disappointed”.
Then, just a day later, the ICO issued a fine of £99m ($124M/€112m) to Marriott Hotels for a data breach that exposed the personal details of 339 million guests around the world – including 30 million European citizens and seven million UK citizens.
Hackers breached Starwood Hotels in 2014; that hotel chain was subsequently purchased by Marriott in 2016, but the breach wasn’t discovered and patched until 2018. A statement from Marriott at the time of the penalty notice said the company was “deeply disappointed” by the proposed fine.
Both Marriott and British Airways are appealing their fines.
Under GDPR, organisations can be fined up to four per cent of their annual turnover if they’ve been found to be irresponsible with security following a data breach. Despite this, it’s believed that just one-third of organisations are fully GDPR-compliant.
The total amount of fines of €114 million imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement, said McKean.
“We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity.”