Skip to main content

Compared to data breach costs, an ICO fine is simply a drop in the ocean

For companies today, the potential for a data breach has never been higher. With the increasing sophistication of cyber threats, the growing use of the cloud and the ignorance of some when handling sensitive data, the frequency of data breaches is only going to escalate.

Indeed, during Home Secretary Theresa May’s speech to announce the new UK Surveillance Bill, she referred to the positive impact technology has had on all our lives but, at the same time, how it has created new threats. While the bill itself may have received a lot of criticism, no one can really disagree with her on that point. Despite all its benefits, technology now forms the foundation of arguably all of the threats facing us and our data.

More often than not, when an organisation suffers a data breach there is one party that is impacted far more greatly than anyone else – the consumer. As companies continue to collect more and more data about their customers, any breach will likely result in personal information becoming compromised. Moreover, this issue will only worsen as the impending EU Data Protection Regulation changes will expand the definition of ‘personal data’ to include email addresses and any information which can be used to contact the user. Currently, however, UK businesses are expected to comply with laws such as the Data Protection Act, and fines of up to £500,000 can be handed out for non-compliance by the Information Commissioner’s Office (ICO).

You’d think that the potential for a fine of half a million pounds would provide enough incentive for businesses to put in place the relevant data protection measures to remain compliant, however, that’s not always the case. What should get businesses in a cold sweat then is the other ongoing data breach repercussions which, when tallied up, will make the ICO fine seem like a drop in the ocean.

Firstly, any data breach will have a pretty significant impact on a company’s reputation. A fall in consumer trust results in a loss of customers and, therefore, a drop in sales. If the company is listed, there’s the decrease in share value to contend with too. Take TalkTalk for instance, following its data breach its stock price fell by 10 per cent. Falling share prices often means unhappy shareholders and that can result in the CEO being forced out, just ask Gregg Steinhafel (the former CEO of Target). TalkTalk will also find it a challenge to attract new business in the future too, consumers aren’t going to simply forget about the breach and will instead spend their money with competitors which have cleaner histories.

Next up there’s the costs of putting things right. Following a data breach, all impacted parties including existing customers, potential new customers and even the workforce need to be won over. This can involve a number of things depending on the type of breach. For example, if a breach compromises bank details, the offending company may have to offer free credit monitoring services to those affected so they’re made aware of fraudulent activity that may take place as a result. If a breach impacts a large number of consumers, the organisation will need to dedicate resources to deal with the onslaught of angry customers who will inevitably call to vent their frustrations and perhaps want to leave. Indeed, while it may seem easier to shy aware from such phone calls, not communicating with the impacted parties will simply exacerbate the situation. The morale of the workforce is also important to consider. Even if they haven’t been impacted directly, no one wants to work for a company that is on the receiving end of negative press.

Finally, there’s the incredibly damaging potential for ongoing lawsuits from victims. When an individual has their data compromised, they can become vulnerable to targeted extortion attacks and argue that they should be compensated for the breach in trust. Just recently Sony paid out $8 million to employees impacted by its 2014 breach and more than 2,000 current and former employees of Morrisons are suing the supermarket after their details were compromised online. What’s really worrying for businesses, however, is that during the well-publicised Google vs. Vidal-Hall case, the UK Supreme Court ruled that claimants don’t even have to prove monetary loss and can simply claim for distress caused.

It’s undoubtable that a data breach can have catastrophic consequences for any company. The effects can last years and firms will have to invest a lot of time and resources in order to rebuild public trust. Then, just to re-open old wounds, there’s the ICO fine to deal with. The public sector body publishes press releases alongside its fines to ensure everyone is aware of the action which has been taken and who against, meaning consumers will once again be reminded of any breach.

Ultimately, if the never-ending list of expensive data breach repercussions isn’t enough get businesses to remain compliant with data regulations, what hope does the consumer have?

Nigel Hawthorn, EMEA marketing director, Skyhigh Networks (opens in new tab)

Image source: Shutterstock/wk1003mike