The Cost of a Security Breach

Facebook Agrees to Pay ICO’s £500,000 Fine

Almost exactly twelve months after the ICO issued its £500,000 fine against Facebook, this news comes as a stark reminder that companies need to do all they can to responsibly handle personal information. Withdrawing its appeal, Facebook has finally decided to pay the penalty, though unsurprisingly makes no admission of liability in relation to its violations of the Data Protection Act 1998.

A spokesman for Facebook stated in relation to the agreement “we wish we had done more to investigate claims about Cambridge Analytica in 2015”, adding “we are pleased to have reached a settlement with the ICO.” A statement that, when considering the alternative, seems to be something of an understatement.

Half a million pounds is obviously not a sum to be sniffed at, though when we take into consideration Facebook’s 2018 revenue of $55.8 billion, it doesn’t really seem to be much of an imposition. This is largely due to the timing of the events.

“Protecting people’s information and privacy is a top priority for Facebook, and we are continuing to build new controls to help people protect and manage their information”

Facebook

To put this fine in perspective, if the Facebook-Cambridge Analytica Scandal had happened following the introduction of the GDPR, then the fine levied by the ICO could have potentially surpassed £1.7 billion. That figure being 4% of Facebook’s 2018 global revenue, which would be the greatest fine the ICO could impose for the data protection violations that began the scandal - had it happened three years post.

The data protection violation, which occurred in 2015, resulted in the maximum possible fine of £500,000 and despite a year of protestation, will now be paid to the UK government’s consolidated fund.

Accompanying the announcement from the ICO, Deputy Commissioner James Dipple-Johnstone said of the agreement “Protection of personal information and personal privacy is of fundamental importance, not only for the rights of individuals…we expect that Facebook will be able to move forward and learn from the events of this case”.

Whatever your thoughts are regarding the resulting fine, or indeed the scandal, one thing that can be stated with certainty is that once again, governments are no longer tolerant of companies and organisations that fail to meet the standards demanded by data protection regulations such as the GDPR.

When dealing with the possibility of fines up to €20 million or 4% of annual global turnover, organisations must face the reality that it is no longer profitable or viable to be non-compliant with data security standards. Not to mention that fines are just one of the many costs of not being information secure.

“Ignorance is no excuse when it comes to these fines; executives need to do their homework and realise that the GDPR affects every aspect of every business.”

Simon Fraser – Hut Six

In the Department for Digital, Culture, Media & Sports’ latest survey we discovered that 32% of UK businesses identified cyber breaches or attacks in the last 12 months. We also found out that the cost of an attack ranged from as little as £300 all the way up to £100,000, without considering the potential cost of imposed fines.

Information security is undeniably a business necessity, and this legislation demands tighter controls and policies, including educating your staff and raising security awareness across your organisation. Regardless of the size or sector of your organisation, maintaining compliance with this legislation is a process of continued effort.

This ICO imposed fine demonstrates just part of the potential costs that companies open themselves up to. Requiring both vigilance and an openness to change, enabling and embedding a secure culture is now business critical.