Under the General Data Protection Regulation (GDPR), lesser data breaches can warrant a fine of up to 10 million euros or two percent of annual global turnover. Serious breaches could attract a fine of up to 20 million euros or four percent of annual global turnover.
Although UK data regulator, the Information Commissioner’s Officer (ICO), claims it has no intention of being heavy-handed, saying it is “committed to guiding, advising and educating organisations… preferring the carrot to the stick” - it is however committed to using fines as a deterrent. This could prove costly for ill-prepared organisations. Here’s what they need to consider – fast.
Are ICO fines for data breach insurable?
This is a great debate amongst lawyers and insurance, but the majority sway towards the “no” verdict. It seems to boil down to whether the fine would be considered criminal, in which case, as a matter of public policy, the courts are considered unlikely to allow the cost of the fines to be picked up by an insurance firm. After all, this would defeat the purpose of the intended deterrent effect of the fine.
The full costs of ICO investigation / enforcement action
In addition to a potential business-busting fine, there is a long list of additional costs that trail in the wake of a data breach and ICO investigation. Putting aside the painful possibility of cyber extortion through ransomware, here is a list of some basic costs:
- Investigation costs to determine the cause of breach
- Communication and notification costs
- Disaster recovery costs
- Legal advice
- PR to protect your organisation’s reputation
- Potential lost income and payroll as a result of a breach
- Potential legal costs and compensation claims from individuals suing for personal data breach
While insurance is unlikely to cover ICO fines and penalties, a rigorous cyber insurance policy could potentially cover the above costs. But be careful. Our partners at Clayden Law warn organisations not to assume that your business or cyber insurance policies will cover you for more than basic first party (i.e. your) costs.
Help protect against data breach with a cyber security policy
We all know it’s not a question of “if” but “when” your organisation will be on the wrong end of a cyber-attack. Last year, 66 per cent of small businesses admitted falling victim to cyber-crime – some of them twice in the same year. Investing in new technologies and having access to highly qualified staff will help protect against this. Fundamentally, though, you need to have a robust cyber security policy in place.
A good cyber security policy will dictate exactly how an organisation approaches security – from its infrastructure to employees’ GDPR responsibilities. It should identify who is responsible for maintaining and enforcing it, who will respond to resolve security incidents and which users have admin rights. It should also include information on three key elements:
- When a breach is detected, which security programs will be implemented
- How patches and updates will be applied to limit the attack
- How data will be backed up