Government issues £17m fine warning to firms lax on cyber-security
Fines of up to £17m could be imposed upon organisations that fail to put in place strong cyber-security measures, under new proposals from the government.
Energy, transport and health providers are among essential infrastructures that could be targeted under the planned crackdown.
The suggested fines are capped at £17m or four per cent of global turnover and are aimed at preventing hackers from crippling networks and will also cover issues like power failures and environmental risks.
They would not apply to operators who had followed proper procedures but still suffered an attack, the Department for Digital, Culture, Media and Sport (DCMS) said.
Measures will include monitoring threats and detecting attacks, good staff training and having quick-recovery systems in place.
The plans are part of a consultation launched by the DCMS on Tuesday with the aim of launching the Network and Information Systems (NIS) directive from May 2018.
Minister for digital Matt Hancock said: “We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards.”
He urged public and private providers to weigh in on the consultation.
The measures are about loss of service and not data, which is covered under General Data Protection Regulations.
Joe Hancock, cyber security lead at Mishcon de Reya, said: “The continued high profile of this bill again underlines how crucial cyber security is when it comes to the protection of data.
“As well as protecting data from hackers, or from simply being lost by staff, companies must notify individuals when their data is lost or stolen within 72 hours if the loss poses a serious risk to them.
“The fines for data breaches under the new laws will be greatly increased from a maximum of £500k today to up to £17m or four per cent of global revenues. These are huge numbers and not to be taken lightly. However, it is unlikely that these penalties will be widespread given the sheer number of organisations the bill applies to and the historic lack of heavy enforcement action for all but the worst offenders.”
Mark Lubbock, technology partner at law firm Ashurst, said: “It places the burden on providers of ‘essential services’ – i.e. energy, health, transport, water and digital infrastructure – to prevent attacks.
“While the figures announced highlight the top of the fining threshold, there are likely to be huge variations in practice not least because of the plethora of regulators involved. Ultimately, whether an organisation is fined for a cyber attack, and the scale of that fine, will probably come down to the consequences of the breach and whether it could or should have been prevented.”
Last month, a report analysing the potential damage of cyber-attacks concluded that the total cost to governments and businesses could match the scale of Hurricane Sandy depending on the type of attack.