Regulators have been flexing their muscles in recent months, dishing out some very large fines for data breaches and lapses in cyber security. The high values are further evidence that regulators are getting serious about cyber security.
One of the largest penalties came from the UK’s financial services regulator, the Financial Conduct Authority (FCA). It fined Tesco Personal Finance (Tesco Bank) GBP 16.4 million for failing to exercise “due skill, care and diligence” in protecting its personal current account holders. In November 2016, cyber attackers exploited deficiencies in Tesco Bank’s financial crime controls and its financial crime operations team to steal some GBP 2.4 million over 48 hours.
Mitigating factors led to a discounted fine for Tesco, including the early settlement and high level of cooperation, as well as the bank’s redress programme for affected customers. Absent the discounts for mitigating factors, the FCA would have imposed a penalty of GBP 33.6 million, it says. Issuing the fine, the regulator warned that it has “no tolerance” for banks that fail to protect customers from foreseeable risks.
The FCA says Tesco had not responded to the November 2016 cyber-attack with sufficient rigour, skill and urgency. It also concluded that Tesco Bank had failed to take appropriate action to prevent the foreseeable risk of fraud.
Commenting on the Tesco Bank cyber-attack, the FCA called on banks to focus on resilience, reducing the risk of a successful cyber-attack occurring in the first place. In July the FCA published a discussion paper about strengthening the operational resilience of financial services firms with regard to cyber-attacks and other disruptive operational incidents.
UK banks have been plagued by IT outages, the largest being the weeks of service disruption suffered by TSB Bank customers, following a problematic IT platform migration in April. In September, a number of UK banks were hit by unrelated glitches and outages, including TSB, HSBC, RBS and Barclays. The FCA discussion paper suggests that the regulator intends to take a more active role in driving cyber resilience in the financial services sector.
The UK’s Information Commissioner’s Office (ICO) has dished-out a number of large fines in the past few months, including a (pre-GDPR) maximum fine for credit monitoring firm Equifax.
On 20 September, the ICO issued Equifax with a GBP 500,000 fine for failing to protect personal information – ranging from names and addresses to financial information - of up to 15 million UK citizens during a cyber-attack in 2017. The incident, which happened between 13 May and 30 July 2017 in the US, affected 146 million customers globally.
The ICO’s investigation was carried out under the Data Protection Act 1998 (DPA), rather than the EU’s GDPR, as the cyber-attack occurred before the stricter laws came into force in May 2018. The fine is the maximum allowed under the DPA. However, under the GDPR, the ICO can issue fines of up to Euro 20 million or 4% of annual global turnover, whichever is highest.
Although the data breach took place in the US, the ICO concluded that the UK arm of the company failed to take appropriate steps to ensure its US parent Equifax Inc was protecting the information. The investigation revealed multiple failures at the credit reference agency that led to personal information being retained for longer than necessary and made vulnerable to unauthorised access.
The Equifax fine is just the latest issued by the ICO, which earlier indicated that it would fine Facebook GBP 500,000 for the alleged misuse of user information by data analytics firms, including Cambridge Analytica. It also recently fined health insurer Bupa GBP 175,000 for “systemic” failings related to a pre-GDPR data breach (an employee stole the personal information of 547,000 Bupa customers and offered it for sale on the dark web); while Heathrow Airport was fined GBP 120,000 for failing to ensure that personal data was properly secured after an employee lost a USB stick.
In the US, Uber agreed to pay USD 148 million to settle a legal action related to its massive 2016 data breach, which exposed the details of 57 million customers and drivers. Uber was found to have breached state notification laws by not reporting or disclosing the data breach - instead Uber paid hackers USD 100,000 to destroy the data.
The payment settles legal action brought by the US government and 50 states over Uber’s failure to disclose details of the data loss. The company has yet to settle legal action brought by drivers, customers and the cities of Los Angeles and Chicago over the 2016 data breach. As part of the settlement, Uber has agreed to put in place more secure systems and accept greater oversight of cyber security by the Federal Trade Commission.
Yahoo also agreed a multi-million dollar settlement in September for its failure to disclose a large data breach in 2014. Altaba Inc, formerly known as Yahoo, said that it expects to incur a total of USD 47 million in litigation expenses to settle three class action cases for failing to disclose the 2014 cyber security breach. The settlement is said to draw a line under litigation related to the data breach.