Size doesn’t matter (so says the ICO about recipients of big fines for data breaches)

The Information Commissioner’s Office (ICO) has, in a recent press release accompanying its decision to fine an SME £60,000 following a cyber attack, characterised that fine as an explicit “warning to SMEs”, and emphasised that data protection laws apply to businesses that handle personal data – regardless of size.

We’ve become used to seeing SMEs being handed five figure fines by the ICO for unlawful marketing practices; less so when it comes to failures to safeguard personal data. Despite the prevalence of such failures, most of the significant fines we’ve seen have been levied on public authorities and big corporates.

At £60,000, this fine might be just a fraction of the headline-grabbing, record-setting £400,000 penalty issued to TalkTalk when it suffered a similar style cyber attack (i.e. SQL injection). But the SME in question’s last set of abbreviated accounts indicated total net assets of just over £185,000 and an accumulated profit since the previous year of less than £100,000. So a balance sheet which contrasts sharply with TalkTalk’s (whose most recent results show net assets of £140 million), and on which a £60,000 fine is likely to leave a far bigger dent.

The ICO’s decision highlighted failures such as not conducting regular website penetration testing, not using a strong password and not securing a decryption key. It’s also worth noting that although the SME’s website was developed by a contractor, the SME was still found responsible for those failures. This won’t come as a surprise to data protection aficionados, but may be a point overlooked by many businesses when commissioning or revamping their websites.

In issuing the fine, the ICO took the opportunity to remind us that “fines could be a lot higher” for failing to protect personal data when the General Data Protection Regulation (GDPR) comes into force next year – a prospect which will likely motivate many SMEs to review their information security practices as part of their data protection compliance generally. Those businesses might find the Government’s Cyber Essentials scheme a useful place to start, as it aims to put in place cost-effective basic cyber security for organisations of all sizes.