The biggest data breach fines of 2019 and what they mean for charities

Despite these 230 charity data breaches in the first half of 2019, and what is likely to be a similar number in the second half of the year, none of the charities affected were fined by the ICO according to its enforcement action notices web page. But the ICO can and does levy fines for data breaches, as the following cases make clear:

British Airways: £183 million fine

The biggest fine levied by the ICO to date is for an eyewatering £183.39 million, which it said it intended to impose on British Airways in July 2019 for a data breach in August and September 2018 – just three months after the GDPR came into effect - when about 500,000 customers’ personal data was exposed. This included names, addresses, credit card information and booking details. Some of these credit card details where later being sold in the "dark web" by Russian cyber criminals, according to a report by cyber threat intelligence company RiskIQ.

In fact British Airways got off relatively lightly in this case: the fine represents far less than 2% of British Airways’ turnover. If the ICO had levied the maximum 4% fine this could have run to £500 million.

Equifax Inc. £700 million fine

The credit reporting agency Equifax Inc. received an approximate $700 million fine (the exact amount has yet to be finalised) from the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau in the U.S. for a data breach in 2017 that resulted in more than 140 million people’s personal data being breached by cyber criminals.

What’s interesting about this case as that the ICO also issued a £500,000 fine to Equifax Ltd in the UK back in September 2017 for failing to protect the personal information of up to 15 million UK citizens during the 2017 cyber attack, even though the computer systems that were compromised were in the US. The fine was imposed by the ICO because the UK operation "failed to take appropriate steps to ensure its American parent Equifax Inc, which was processing the data on its behalf, was protecting the information," according to the ICO.

The fact that the ICO did not fine any charities in 2019 should not be cause for complacency. That’s because the ICO has already shown that it is prepared to crack down on charities that have inadequate cyber security measures in place: in 2018 the British and Foreign Bible Society charity was fined £100,000 by the ICO for putting personal data at risk and potentially revealing the religious identity of donors after cyber criminals accessed over 400,000 of its supporters’ records.

What can charities do to minimise the likelihood of experiencing a data breach and incurring a potentially significant fine?

The most common form of cyber incidents stem from phishing attacks, so charities should make phishing awareness training a priority for all of their staff.

When it comes to "non cyber" incidents caused by carelessness there is no simple solution except to reinforce the importance of taking due care of customers’ personal data.

There are also many resources designed to help charities avoid falling foul of the GDPR, including guidelines on how to comply with the regulation, and an ICO self-assessment procedure and checklist aimed at smaller organisations which helps to evaluate any gaps in data protection processes. Tailored advice for charities is available in the form of a FAQ tackling data protection matters.

The information commission Elizabeth Denham underlines the importance of data security: "When you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Ultimately the message to digital leaders should be clear: taking adequate cyber security measures to protect customers’ personal data can be expensive, but failing to do so and incurring a fine can be more expensive still.