Image of UK parliament building signifying the ICO levying fines for spam and data breaches
ICO Flexes Its Muscles with 69% Increase in Fines for Spam and Data Breaches

ICO Flexes Its Muscles with 69% Increase in Fines for Spam and Data Breaches

The Information Commissioner’s Office (ICO) has fined 104 companies and organizations a total of £8.7 million for failures in data security and anti-spam regulations since August 2015. The ICO has the power to fine companies up to £500,000 for spam and data breaches and they are increasingly active in their efforts to reduce offences. 2017 witnessed an annual rise in fines of nearly 69 percent, from £2.9 to £4.9 million.

When the EU General Data Protection Regulation (GDPR) comes into effect on May 25th, the ICO’s powers will be bolstered further, with the maximum monetary penalty increasing to 20 million Euros or 4 percent of global turnover, whichever is the greater.

Nearly half of all fines for spam phone calls

The ICO fines data, collated by The SMS Works, revealed that nuisance phones calls attracted 33 separate fines, accounting for 46 percent (£4,017,000) of all fines issued since August 2015.

Millions of consumers have been pestered by calls at their homes, made possible by automated dialing systems that enable unscrupulous companies to invade people’s lives without human intervention.

One of many notable nuisance call fines was handed out to Keurboom Communications in May 2017. They were fined £400,000 (close to the maximum £500,000), for making an incredible 99.5 million phone calls to people at home.

Commenting on the case, Steve Eckersley Head of Enforcement at the ICO said, “These calls have now stopped but our work has not. We’ll continue to track down companies that blight people’s lives with nuisance calls, texts and emails.”

Email spammers getting off lightly

While the average penalty for SMS spam is £108,000, email spammers have been treated far more leniently, with the average fine for email breaches standing at a more modest £40,000.

Furthermore, email breachers are also being punished far less frequently, with just 7 fines issued since August 2015, compared to 23 for SMS spam. Fines for email spam totaled just £241,250 compared to SMS spam which stands at £1,539,500.

Data breaches attract the highest number of fines

Forty-one companies and organizations have been fined for data breaches since August 2015. This accounted for 34 percent (£2,996,501) of all fines.

Telecommunication giants in particular have been found to have inadequate data security measures in place. As well as the recently reported £400,000 fine handed to Carphone Warehouse, TalkTalk Telecom was also found to have been open to cyber attack.

In October 2016, they were also presented with a £400,000 fine for security failings that allowed cyber criminals to download the personal details of 155,959 customers and the bank details of 15,656.

Elizabeth Denham, Information Commissioner said, “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”

Financial services firms awarded largest number of fines

Twenty three percent of all fines were handed out to the financial service sector, more than double the number of the second most fined sector.

Charities were surprisingly second in the hall of shame, attracting 10.5 percent of fines. For charities, the fines were mainly for data breaches where they had been sharing donor data with other organizations, without obtaining the correct consent.

The practice of ‘data enriching’, where donors can be profiled more accurately by combining information from multiple sources is likely to become more problematic when GDPR comes into effect.

A grim future for data breachers

Companies that are thinking of breaking the rules will find little room for maneuver in a post GDPR world.

The fines data should act as a wake-up call to all companies and organizations that process and handle consumer data. The clock is ticking and companies that haven’t done so already, need to urgently address data security before the May deadline.

All fines data was released by the ICO and compiled by SMS API provider, The SMS Works.