Contributed By Tim Roncevich, Partner, CyberGuard Compliance
The United Kingdom issued the maximum fine to Equifax following their massive data breach in 2017.
But it could have been worse.
The £500,000 ($660,000) penalty accounted for only a minuscule percentage of the credit bureau’s $3.3 billion (£2.5 billion) in annual revenue. Regulators could have levied a larger fine if the General Data Protection Regulation (GDPR) had been fully implemented at the time of the breach, which affected as many as 15 million UK citizens.
Now that GDPR is fully in effect, a future breach could draw a fine of up to four percent of a company’s annual global revenue, or £17 million (20m Euro or $22 million), whichever is greater. Companies should consider Equifax’s punishment a warning of stiffer penalties that could come because regulators will maximize fines for data breaches. To put this in perspective, if Equifax had the GDPR’s maximum fine leveled against it, it could have cost them $132 million (£100 million). That’s a law with some serious teeth.
In announcing the fine for Equifax on Sept. 20, regulators with the Information Commissioner’s Office explained that the company was lax in its security and dismissive of its obligations for protecting consumer data. “Equifax Ltd showed a serious disregard for their customers and the personal information entrusted to them, and that led to today’s fine,” Information Commissioner Elizabeth Denham stated.
The average cost of a data breach is already $3.9 million, including damages, fines, and losses. Steeper penalties based on a percentage of revenue would only worsen the blow, even for the largest of corporations with the deepest of coffers.
Learn from the Equifax example. Adopt these cybersecurity measures if you haven’t done so already.