Study signals inconsistent data breach compliance costs
Insureds should have some sense of where their biggest data security risks lie in order to satisfy government compliance guidelines and avoid large fines.
When the European Union’s (EU) General Data Protection Regulation (GDPR) was first proposed in 2012, it set off a great deal of speculation (and a fair amount of fear-mongering) as to how the novel regulation would affect organizations. There were webinars and workshops to attend to gain a better understanding of and prepare for GDPR, and we in the insurance community all heard about that dark beast that would be lurking in the woods — the one that could destroy an organization that fell victim to and mishandled a data breach — “the Mega Fine.”
Since 2018 implementation…
Where do we stand? The short answer is: It is still unclear.
At Beazley, we recently studied the size of GDPR fines and the jurisdictions in which they were levied in 2019. What we found was inconsistency across regulators. Fines have greatly varied in sizes, and some data protection agencies (DPAs) are more aggressive than others.
In addition to the UK, GDPR action was taken in at least 15 countries last year: Belgium, Bulgaria, France, Germany, Greece, Hungary, Ireland, Italy, Lithuania, Netherlands, Norway, Poland, Romania, Spain and Sweden.
Of these countries, the UK can take credit for the biggest fines assessed. Over the summer, the Information Commissioner’s Office (ICO) proposed two massive fines as a result of security breaches: $229 million against British Airways and $124 million against Marriott Hotels. The actual amount to be paid by the two companies is pending final ICO notices, which were expected at the end of March, but have been further delayed to early June.
It remains to be seen whether the current impact of COVID-19 on the travel industry might sway the ICO’s assessment of these fines.
At the high end of the range, the Austrian DPA imposed an administrative fine of $20 million on the company responsible for the postal service, Österreichische Post AG (ÖPAG), for violating the GDPR by processing personal data on the political views of affected data subjects.
In Germany, a fine of $16 million was issued against the Berlin-based residential property company Deutsche Wohnen SE for violations of the GDPR relating to the unnecessary collection and retention of personal data.
At the lower end are the Italian DPA fine of $1.1 million against Facebook over the Cambridge Analytica scandal, and a German DPA fine of $2.2 million against Facebook for under-reporting complaints by data subjects. These penalties are more than “a slap on the wrist,” but they are minor when considering that Facebook has annual revenue in excess of $70 billion.
More inconsistencies
We also have witnessed differences in the approaches taken and investigation time frames by the DPAs. As just one example in the UK, the ICO is focused on the cost of ransomware to the organization while in Ireland there is heightened interest in how ransomware could affect individuals.
What’s more, we have seen regulators close the file on a data breach in a matter of days while other investigations have stretched out six months or more.
As we near two years with GDPR in place — when it comes to the cost of not protecting data — the jury is still out. Fines vary greatly as do actions by the DPAs. Our best advice to insureds is to have some sense of where the biggest risks lie in terms of GDPR compliance, as a significant proportion of fines are a result of non-compliance, large fines and active DPAs.
Boards can no longer ignore the issue and organizations must take the necessary steps to understand the risk and implement proper oversight of their security procedures and protocols. Because no one wants to be a victim of “the Mega Fine.”
Helen Nuttall (helen.nuttall@beazley.com) is an International Breach Response Manager at Beazley. She is responsible for handling international breach incidents and overseeing breach management for policyholders outside the U.S. and Canada who hold a Beazley Breach Response cyber policy. Helen also works closely with Beazley’s underwriters in the development of new cyber breach offerings.
Related: