There was quite a clamor made in July when the Information Commissioner’s Office (ICO) announced its intention to fine British Airways £183.39m for infringements of the GDPR.
These infringements were relating to the digital skimming data breach that the airline suffered in September 2018. Likewise, heads turned again when the ICO went public with its intention to fine Marriott International £99m for exposing 339 million guest records in November 2018.
I’d first like to point out one important thing in both of these cases: these are intentions to fine and, at the time of writing, are not actual fines yet. There are processes to go through, representations to be given and final decisions to be made about exactly how much each company will be ordered to pay.
Whatever happens though, the figures being discussed are astronomical – sure, neither represent the maximum 4% of annual turnover that the ICO has the power to levy as monetary punishment, but we are talking about hundreds of millions of pounds here.
It may therefore come as a bit of a surprise for me to ask, when it comes to the really mammoth companies in the world like BA and Marriott International, is it enough? Now, by ‘it,’ I don’t mean the actual sums of money mentioned, I mean money in general. Hear me out.
For so long, the main talk around GDPR has been those big, bad fines. That has been the proverbial stick that so many have referred to as the key incentive for not wanting to fall foul of the regulations.
Well, not long ago, the social media giant Facebook was handed a fine to the tune of $5bn by US regulator the Federal Trade Commission over its violations leading to the Cambridge Analytica scandal, which led to personal data on 50 million users and their friends being used without their consent. I repeat – $5bn. Surely, even Facebook would feel the full effects of being hit by a fine of that magnitude? Well, not really. Facebook is worth hundreds of billions of dollars; the firm made over $15bn in the first quarter of 2019 alone. It seems to me like Facebook simply accepted that a fine would come, set aside the money, paid, and it has pretty much been business as usual ever since. Yes, the company announced plans for an overhaul of its internal processes to better foreground user privacy, but it does rather feel like Facebook got away with a bit of (an expensive) slap on the wrist.
It’s therefore my belief that astute regulators, particularly the ICO, will need to call upon other weapons in their armory to really hit the colossal firms where it hurts for failures in compliance. After all, under the GDPR, the ICO has powers to inflict punishments that go beyond fines: for example, it can force a company to stop processing data for a length of time. That would have a far greater impact on companies than any monetary fine that the ICO could hand out, and maybe this should become a trend that will remind the big players that no matter how much money they have in the bank, their ability to process data is priceless.
One industry that might want to take extra caution is the gaming sector. Our cover feature explores the significant rise of cybercrime targeting the booming, hugely popular but relatively insecure gaming industry, a reminder that cyber-criminals will always seek to go after quick, easy money. With the gaming industry being one of the most profitable and fastest-growing in the world, the sector will have its work cut out to get up to speed with the security required to keep it safe. Find out more about that on page 12.
We’ve seen other threats come to the fore recently too, with particular advancements being made in fraud techniques. Our feature on page 18 reflects on the evolution of fraud and the damage modern-day fraudsters can cause. Likewise, recent times have seen hackers turn their sites to exploiting the domain name system – the foundational layer of the internet that seems to be both an open door for hackers to abuse and, with some thought and foresight from defenders, a means of stopping pretty much any attack in its tracks. Further, on page 34, Infosecurity asks what the deal is with DNS.
Plenty to get stuck into in this issue then, and there’s also our next Online Summit to look forward to too! We’ll be hosting the two-day event on September 24 and 25, and you can register here.
Lastly, I’m delighted to announce my promotion to the permanent role of editor, with Eleanor Dallaway returning from maternity leave to take on the role of publishing director. Congrats Eleanor and welcome back!