How Common Are Prosecutions For Data Breaches?
The UK legislation on what data security measures should be in place and who to report a suspected breach to is covered by GDPR. The UK GDPR is very similar to the EU model; both have been in force since 2018. This should have been long enough for prosecutions to work their way through the system and look at the results.
Although the UK GDPR law is not exactly the same as in the EU they follow the same core principles. In Ireland for example reporting and fines is the remit of The Data Protection Commission. UK Fines for non-compliance with GDPR can be up to £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. A fine is not automatic and could be less than the maximum but heavy fines have been imposed in practice.
In the UK reports of data breaches need to be made to the ICO (Information Commissioners Office) as part of the reaction to an incident but the ICO can and does issue fines where they believe that the victim had not put sufficient safeguards in place. This allows the criminal to offer a ransom significantly less than the maximum fine that might be imposed with the ‘promise’ that problem will ‘go away’.
In 2022 the UK ICO imposed 34 fines across 33 cases; 29 of these were for breaking electronic marketing rules (breaches of ‘Privacy and Electronic Communications Regulations’). Of the remaining 5 only 3 concerned article 6 of the GDPR which deals with protecting the security of personal data. One of the 3 was the law firm Tuckers who were fined £98,000 following a ransomware attack because of their ‘negligent security practices’. Failure was partially due to a software patch released in January 2020 but not applied until June 2020. Although the attack did not occur until August 2020 the system may have been compromised by then. A lack of multi-factor authentication for remote access to their network was also noted in the case.
Within the EU and UK an on-line enforcement tracker provides a count of fines, locations and causes related to GDPR. Here are some country totals up to June 2023:
Total count of cases | 1,929 |
Isle of Man | 3 |
UK | 13 |
France | 37 |
Croatia | 21 |
Ireland | 25 |
Germany | 160 |
Spain | 679 |
It does seem that some governments are more enthusiastic in prosecuting than others or some areas harbour a higher proportion of offenders.
Many cases relate to breaking more than 1 article of the GDPR, violating articles 6 and 32 in the same enforcement is not uncommon.
Total Entries 1,929
article 6 | Insufficient legal basis for data processing | 691 cases |
article 32 | Insufficient technical and organisational measures to ensure information security | 411 cases |
Some of the fines imposed are relatively low such as the € 2,500 imposed on Farmacia Ardealul SRL in June 2023:
‘The Spanish DPA has imposed a fine of EUR 2,500 on Farmacia Ardealul SRL. The controller had reported a data breach to the DPA. During its investigation, the DPA found that an unauthorized installation of malware on the controller’s website led to uncontrolled processing of customer data (bank data). The DPA found that the controller had failed to install appropriate technical and organisational measures to protect personal data. ‘
There is no clear pattern as to who is convicted for what and where but it does seem that prosecutions are being made but the degree of compliance or enforcement depends on the local legislation authorities.