With the announcement by International Consolidated Airlines SA (LON:IAG) that The Information Commissioner's Office (ICO) intends to fine it £183,390,000 we have the first indication of the huge escalation in the value of fines to be levied under the UK Data Protection Act 2018. This fine is equivalent to 1.5 per cent of British Airways' worldwide turnover for the financial year ended 31 December 2017; the maximum allowable is 2% of global turnover. This fine is a result of the theft of customer data from the BA website disclosed on the 6 September 2018 and 25 October 2018 (post GDPR and DPA 2018 coming into effect). By comparison Facebook was only fine £500,000 in the wake of the Cambridge Analytica scandal, which under the new act could potentially have been £1.2bn; maximum allowable 4% of global turnover a higher tier of fine for misuse of data.
The cybersecurity industry has been expecting this escalation in fines - Ian Mann, CEO of ECSC (LON:ECSC) predicted this at the ShareSoc presentation in March 2019 and again only last week at a seminar. It is highly likely that any firm handling personal data will be re-examining their cybersecurity controls and considering what further investment they need to make.
In the light of Brexit the ICO has stated that UK data protection regime will have to be "equivalent" to the European Union under GPDR if we want to trade with the single market on equal terms. However, there is a view that it is likely that the ICO will wish to levy higher fines than those imposed in the EU to demonstrate that it has teeth and avoid potential issues in the event of a hard-Brexit.
The potential issues that might arise where the UK adopt a different set of less strict regulatory control is illustrated by the schism that emerged between the EU and the US in 2013. Austrian citizen Max Schrems, a user of Facebook since 2008, had complained to the Irish data protection authorities that recent revelations regarding the US National Security Agency demonstrated that US law and practice does not sufficiently protect personal data from state surveillance. In a landmark ruling, the European Court of Justice rejected the 'safe harbor' data sharing agreement with…
The ICO seems to have suddenly woken up. They've now slapped Marriott with a £99 million fine:
https://ico.org.uk/about-the-i...
Looks like this came out because Marriott decided they needed to file this with the SEC - which suggests there may be more of these floating about that we don't yet know about.
No idea what the best way of playing this is, but I'd certainly be discounting any internet based companies I owned, because if they aren't planning to step up their cybersecurity spend as a matter of urgency they really aren't paying attention.
timarr
