The UK’s ICO made a statement with a hefty fine
The ICO is empowered to fine an organisation (subject to appeal and judicial review) up to 2% of global turnover if they have not taken “appropriate technical and organisation measures” to secure personal data and that lack of diligence has resulted in a “breach”.
Now, this is very much an upping of the ante as the highest fine the ICO has ever levied successfully was £500,000 on Facebook Ireland (which is of course a drop in the ocean in terms of revenue for the social networking giant).
The regulatory authority clearly felt that a statement was needed that this is a new era in data privacy. In the 21st century, large companies practically rely on vast streams of data to operate their business models effectively and produce value both for themselves and for their clients.
As is often the case, regulatory structures designed to prevent the fallout of negative externalities are always trying to catch up with the extremely rapid progress of technology and its effect on processes and people.
An appeal’s outcome would signal how seriously organisations should take open source code
An appeal has already been submitted by the airline; but while good behaviour post-incident may influence the scale of a fine, it won’t determine whether the fine itself is applicable in the first place. It is now up to the courts to determine whether the fine follows the spirit of the law.
What matters is whether an organisation has been negligent or even actively reckless with regards to its security procedures. An aggressive decision from the courts will potentially allow the ICO to have a freer hand to actively pursue reckless security breaches rather than hesitating over the value of investigations.
And the US is catching up with the GDPR-inspired California Consumer Privacy Act
Of course, all of this has to be put in context of the global picture.
Just last month Facebook was also fined $5 billion by the Federal Trade Commission (FTC) for major data privacy breaches. The issue was that the company had failed to disclose both the nature and scale of a leak of personal data of over 50 million users to the now infamous Cambridge Analytica. The fine is the largest ever levied by the FTC against a technology company and is a strong indication of broader regulatory, political and social attitudes hardening towards lax personal data processing.
And that’s not even mentioning the class-action lawsuit that has just been allowed to move forward against the same company regarding automated facial recognition technology identifying people in photos posted to the site. The litigation could potentially result in billions of damages due to the alleged collection and storage of biometric personal data being a potential violation of Illinois state law. The circuit court stated: “The development of face templates using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests.”
Moreover, the GDPR-inspired California Consumer Privacy Act is scheduled to come into force on January 1st 2020, immediately enabling a far more aggressive regulatory regime for organisations based in arguably the world’s most critical tech jurisdiction.
The potential consequences are many: hopefully it would drive more DevSecOps investment
The cost of implementing appropriate security measures early on in product and service design is minuscule compared to potential regulatory fines and reputational damage. AppSec and CloudSec remain the most underfunded areas in comparison to other security domains:
This is reflective of the fact DevSecOps is a new idea; indeed, the first SAST tool (a very standard code review tool) was only invented in 2010. As we move toward a world built on cloud-hosted microservice applications, the spending on these two areas will no doubt increase.
So, check how secure is your DevOps – take a quick yet thorough survey to benchmark your DevSecOps maturity against your peers.