We look at some of the latest data breach punishments and question what they might mean for the charity sector
Organisations of all kinds – and that includes charities – can face heavy fines if they suffer data breaches leading to the loss or exposure of private information.
The negative publicity and the financial penalty following a data breach are bad for businesses, but for charities they can be devastating. That’s because of the loss of trust in the charity that ensues.
After all, why should anyone donate to a charity if they think their money may end up being used to pay a fine? And why should anyone turn to the charity for help if they can’t trust the charity to keep their personal information private?
When the General Data Protection Regulation (GDPR) came in to effect in May 2018, the Information Commissioner’s Office (ICO), which can issue fines, was fairly lenient. But in the intervening few years, it and its European counterparts have begun to flex their muscles.
From January 2020 to January 2021, fines imposed on organisations of all types for failure to comply with the GDPR rose by nearly 40%, according to research from DLA Piper, and more than 120,000 data breach notifications were recorded. In the UK alone, in the most recent quarter for which data has been published, the ICO received 2,594 data breach notifications.
Many of these data breaches were the result of criminal activity, with phishing attacks being the most common cause. But some of the data breaches were not a result of cyber crime at all. Many were the result of misdirected emails.
300 billion emails are sent every day and many of them do not end up where they were intended. Common causes of misdirected email are simply clicking on the wrong intended recipient in a contacts app, not noticing that the app has auto-suggested or auto-completed the wrong name, and not noticing that an email is being sent to email addresses in the cc field as well as the intended recipient.
Charities and voluntary organisations accounted for 172 of these data breaches, and only 58 of these were due to cyber crime. The remaining 114 of the 172 incidents were due to “self-inflicted” accidents such as sending emails to the wrong recipients, failure to dispose of computer hardware securely, and losing laptops and other devices.
The penalties for failing to keep data secure in breach of regulations such as the GDPR can be significant. Marriott International was fined £18.4 million in October 2020 for failing to keep millions of its customers’ personal data secure, for example. And British Airways was fined £20 million for failing to protect the personal and financial details of more than 400,000 of its customers.
These are large companies, but small charities can and have been fined for data breaches. The British and Foreign Bible Society was fined £100,000 in 2018 after the personal data of supporters were obtained by hackers in a data breach. And in 2017, 11 charities including Oxfam, Cancer Research UK, and The Royal British Legion were fined between £6,000 and £18,000 for misusing information about millions of past donors for fundraising purposes in breach of the Data Protection Act.
Looking at the impact of a fine following a data breach can be a useful exercise for charities. In purely financial terms, there is the monetary cost of the fine, as well as the costs associated with remediation: contacting those affected, hiring cyber security consultants to work out what went wrong and how to prevent it happening again, and so on.
But it’s also important to consider the longer-term costs to a charity following a fine. Although it is hard to be precise, it is not unreasonable to estimate that the cost to a charity due to falls in fundraising receipts could be as much as ten times higher than the fine itself.
So what can charities do to mitigate the risks of being fined for data breaches, and indeed to mitigate the risks of data breaches in the first place? To avoid the risk of being fined, charities need to ensure that they comply with all relevant data protection regulations, which in practice is likely to be the UK GDPR, as well as the EU GDPR if dealing with personal data about people in the EU.
The ICO offers many resources to help charities ensure that they comply with the UK GDPR, as well as a data protection self assessment toolkit. The ICO has also recommended 12 steps that organisations should take to fulfil GDPR requirements, including:
When it comes to avoiding data breaches themselves, charities should ensure that they have made a cyber security risk assessment and then take appropriate actions to mitigate the risk of a breach due to a cyber security incident.
Avoiding accidental breaches is more difficult in many ways, but there are a number of steps charities can take. You can ensure all data on laptops or USB sticks is encrypted to keep it secure even if the hardware is lost or stolen, for example, and also ensure the right steps are taken to dispose of unwanted laptops and other IT equipment isecurely.