InfoWatch Analytics Center has released a global report on personal and payment data breach penalties imposed on government organizations and businesses. Globally, both the number and size of such penalties are growing, with 57 fines being imposed on businesses for a total of over $320 million in 2018 (compared to some $45 million paid in 39 such cases in 2017). Thus, the year 2018 saw more than a seven-fold increase in the global amount of fines for personal and payment data breaches and a five-fold growth in an average pay-out (up to $5.7 million).
Moreover, in 2018, such sanctions for personal data leaks were applied against companies across 11 countries (Austria, Brazil, United Kingdom, Germany, the Netherlands, Spain, Italy, Portugal, Singapore, US, and France), while the 2017 penalties affected eight countries only, with the majority of data breach sanctions in 2017-2018 hitting companies in the US, UK, and Singapore. French authorities became much stricter and already imposed six penalties in 2018 (vs. only one such ruling made in 2017).
In 2018, the European Union gave effect to the General Data Protection Regulation (GDPR) that establishes personal data protection principles and requirements. Now, a company must pay the greater of 4% of its annual worldwide turnover or €20 million if it violates basic personal data processing principles or transfer rules, ignores a data processing prohibition, infringes upon data subject's rights, and so on.
A smaller yet significant fine of €10 million or 2% of annual worldwide turnover shall be imposed on a company that violates the procedure of data breach notification, lacks a data protection officer (where necessary), illegally processes children’s personal data, etc.
The first penalties for GDPR violations were recorded at the end of 2018. Thus, Portuguese hospital Centro Hospitalar Barreiro Montijo was fined €400,000 for major violations related to personal data access.
“By adopting heavy liability for breaking personal data storage and processing rules, GDPR, in fact, sets global information protection standards,” said Andrey Arsentyev, Analyst at InfoWatch Group. “GDPR operation will increase the liability for violations of personal data confidentiality, potentially costing large businesses billions in penalties.”
The year 2018 brought three huge pay-outs for a total of over $200 million. Uber alone agreed to pay $148 million in connection with a 2016 breach compromising personal information of more than 57 million passengers and drivers – the world’s largest penalty related to information protection so far. Yahoo is to pay $50 million to victims of digital burglaries that occurred in 2013 and 2014 affecting three billion user accounts, while Tesco Bank (UK) was fined $20.9 million over an attack, in which hackers stole $2.9 million from its customer accounts.
In the US, an average penalty per breach reached $23.3 million in 2018, which is eight times higher than in 2017 or four times higher if Uber’s mega penalty is not taken into account.
In the United Kingdom, an average pay-out per leak increased by 14 times up to $1.69 million, or 2.5 times if Tesco Bank case is omitted.
In some other countries with similar lawsuits, e.g. Italy and Spain, an average penalty amount at least doubled to exceed $1M.
In 2018, Singapore saw a one-third rise in an average payment by businesses to approximately $10,000 and still remains the only Asian country that has an established practice of penalizing for personal data protection violations.
Unlike the said countries, Russia did not report any monetary sanctions against organizations for data breaches in 2017-2018. In 2018, the Ministry of Digital Development, Communications and Mass Media of the Russian Federation drafted a bill to introduce amendments to the Code of Administrative Offences as per which a legal entity that commits a personal data breach must pay 10,000 to 30,000 rubles.
In the 2018 breakdown by industry, high-tech companies faced 25% of penalties for personal data breaches (which is more than the year before), financial organizations suffered 16% of all sanctions (twice as much as in 2017), manufacturing and transportation enterprises were fined in 12% of cases, while educational institutions accounted for 7% of all penalties. At the same time, the shares of healthcare and government sectors went down to 17% and 7%, respectively.
Andrey Arsentyev believes that increasing legislative pressure will make organizations more scrupulous about enterprise information asset security and protection against internal cyber threats. Indeed, as internally-driven data breaches cost more and more, businesses will continue to fortify their security by adopting Data Leak Prevention (DLP) and predictive analytics systems, added the expert.
Download reportFull version, pdf - 612 КБ
