Since August 2015, The Information Commissioner’s Office (ICO) has fined companies approximately £8.8 million for spam and data breaches.
The ICO has been publishing the action that they’ve taken, providing detailed information about all the monetary penalties and enforcement notices that they’ve issued.
For the first time, this information has been collated to reveal detailed insights into the levels and type of spam being prosecuted – all fines data was released by The ICO and compiled by SMS Gateway provider, The SMS Works.
>See also: Carphone Warehouse fined after 2015 data breach
The total ICO fines issued since August 2015 totals £8,794,251, with 104 separate monetary penalty notices being issued in the same period.
2017 saw an annual increase of fines of 68.9%, representing a rise from £2.9 million to £4.9 million). The ICO is signalling its intent to adopt a zero-tolerance approach to companies that break the rules.
Indeed, Steve Eckersley, head of Enforcement at the ICO stated that “Companies who pester the pubic must understand they won’t get away with it. The ICO will take action.”
4 categories of breach attracting fines
SMS: Spam texts sent to consumers
Email: Spam to private individuals, sole traders or partners
Nuisance calls: An unwanted illegal intrusion – often automated
Data breach: When an organisation fails to protect personal data
Number and value of fines issued by type of activity since August 2015
Average fine by breach type
Nuisance calls: £91,101.00
Data breach: £73,500.00
Nuisance calls accounted for nearly 46% (£4,017,000) of all monetary penalties issued.
Email spammers are getting away lightly. Just seven fines have been handed out for email spamming, amounting to less than £250,000, compared to 23 fines and £1.5 million for SMS spam.
>See also: Scandal: 11 UK charities breach data laws
The average fine for SMS spam is a hefty £108,430, while for email breaches the average fine is a very modest £40,000, while 39% of all fines issues were for data breaches.
Breaches by industry sector
Financial services proved to be the worst industry sector for receiving ICO fines with 24 separate penalties having been issued since August 2015, accounting for 23% of all fines.
Surprisingly, the charity sector is second. Fines were mainly for data enriching, where donor data was shared with other charities without adequate consent.
Following the substantial ICO fine for Carphone Warehouse this month for a data breach in 2015, what are the other notable ICO fines?
In October 2016 Telecoms company TalkTalk was issued with a joint-record £400,000 fine for security failings, which allowed a cyber attacker to access the personal data of 155959 customers and the bank details of 15656.
>See also: 7 key lessons from TalkTalk’s data breach
“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease,” said Information Commissioner Elizabeth Denham.
In May 2017, a company behind 99.5 million nuisance calls – Keurboom Communications – was fined £400,000 by the Information Commissioner’s Office.
“These calls have now stopped but our work has not,” said Eckersley. “We’ll continue to track down companies that blight people’s lives with nuisance calls, texts and emails.”
As the EU’s General Data Protection Regulation approaches, the fine landscape issued by the ICO will change dramatically.