A leading payment card industry body is warning that UK organizations could face fines in excess of £120 billion following the enforcement of new EU data protection laws in May 2018.
The PCI Security Standards Council (SSC) calculated the sum based on the maximum fines possible under the new EU General Data Protection Regulation, which will come into force on 25 May in two years’ time.
These stand at 4% of global annual turnover or €20 million (£18m) – whichever is greater.
It argued that if breaches stay at the levels observed in the PwC Information Security Breaches Survey 2015 – 90% of large organisations and 74% of SMEs – then fines could soar 90-fold from the current maximum of £500,000 which the ICO is empowered to levy.
PCI SSC international director, Jeremy King, described the new legislation as an “absolute game-changer” for large and small firms alike.
“The regulator will be able to impose a stratospheric rise in penalties for security breaches, and it remains to be seen whether businesses facing these fines will be able to shoulder the costs,” he added.
“Companies, both large and small, need to act now and start putting in place robust standards and procedures to counter the cybersecurity threat, or face the prospect of paying astronomical costs in regulatory fines and reputational harm to their brand.”
However, the figure of £122 billion is unlikely given that regulators will only reserve the maximum fine for serious non-compliance, and that they could give firms a lengthy 'bedding-in' period after May 2018. That said, the new mandatory breach reporting laws also brought in by the GDPR could increase the number of incidents to be appraised by the regulators.
Tony Pepper, CEO of Egress Software Technologies, argued that firms need to address internal as well as external threats to fortify systems against breaches.
“Companies are running the risk of applying too much emphasis on one aspect of information security to the detriment of other areas of significant risk,” he added.
“There is little point securing the business from a hacker if the reality is an employee will make a mistake – for example sending confidential information via email to the wrong person – and expose the organization to financial penalties and loss of customer confidence any way.”
It should also be added that financial penalties aren’t the only potential impact of data breaches, with reputational damage and revenue loss from departing customers or a share price slump also major downsides.