Tesco Bank FCA fine proves its not just the ICO that will fine companies for security breaches, say lawyers

Companies that don't take security seriously enough could be hit with multiple fines from different regulators

Organisations will increasingly face heavy fines from multiple authorities for security breaches, lawyers at London law firm Fieldfisher have warned.

Judy Krieg, a partner in the Privacy, Security and Information practice at Fieldfisher, was commenting today following news that Tesco Bank had been hit with a £16.4 million fine from the Financial Conduct Authority (FCA) over the failings that contributed to its security breach in November 2016.

That breach saw £2.26 million stolen from more than 9,000 compromised accounts at Tesco Bank.

Under the old data protection laws, Tesco Bank could be fined a maximum of £500,000 by the Information Commissioner's Office (ICO), with a 20 per cent discount for early payment. If the breach had occurred under GDPR, Tesco Group could conceivably have faced a fine of £1.9 billion - on top of the fine disclosed today from the FCA.

"This is something which other financial institutions should take note of," Krieg told Computing.

She added: "The fine was imposed as a breach of Principle 2 - that firms must operate their business with due skill, care and diligence. This is (by design) a high level principle that the FCA has interpreted to cover cyber breaches.

"The FCA has stated that cyber resilience is a priority for the current (2017/2018) business plan. Notably, the FCA has no specific statutory remit specific to cyber breaches. It cannot enforce the GDPR (UK Data Protection Act 2018). But the FCA can impose fines for principles breaches such as this."

But on top of that, the legal requirement to report security breaches that could involve personal data to the ICO will also expose organisations to more investigations from other regulators, too.

"This is a word of warning to financial institutions that the Information Commissioner is not the only regulator who will take notice if there is a cyber breach," continued Krieg.

"Nor is it the only regulator to whom a report may have to be made. The FCA has made it abundantly clear that Principle 11 includes an obligation to notify the FCA of ‘material cyber incidents'. This is separate from and independent of any obligation under the GDPR to notify the ICO of data breaches."

On top of that, Krieg pointed out, the FCA fines are not limited in the same way that fines levied by the ICO are. "So firms that are regulated by the FCA and suffer a cyber incident need to give consideration to both the GDPR (and any obligations to the ICO) as well as the FCA principles and any obligation to the FCA," concluded Krieg.

At the recent Computing Cloud & Infrastructure Summit, Dr Kuan Hon, a director in the Privacy, Security and Information group at Fieldfisher, also warned that organisations could face action from multiple authorities for security breaches under both GDPR and the Network and Information Systems (NIS) directive, which the UK implemented at the same time as GDPR in May this year.

IT security failings are, increasingly, costing CIOs and CEOs their jobs. With business utterly dependent on IT, it's not enough for senior executives to dismiss security as ‘techie stuff'. At Computing's Enterprise Security & Risk Management Live event, hear from the National Crime Agency, ex-hackers and big-business CISOs to learn about how they are tackling cyber security. For more information, check out the dedicated event website. Attendance is FREE to IT leaders and senior IT pros.