The news today -- in fact, the news in the making for the last couple of years -- is that brands will probably have to start thinking about loyalty implications a lot less than they are massive new fines. The reason is that the punishments for breaches are going to skyrocket in the EU within the next year or so when the Data Protection General Regulation (DPGR) eventually becomes law. Plus, the digital giants could find they are also covered by punishments laid out in a new regulation being drafted to cover protecting customer data.
The DPGR has been discussed for the past couple of years, but people I've been speaking to believe the final details are being ironed out and it really will become law this year, or next at the latest. It brings in far higher fines than the Information Commissioner's Office has hit brands with to date. These rarely get over the tens of thousands of pounds mark, and the occasional figures of more than £100k, trotted out as an example of a tough line, are incredibly rare and reserved for those who have been shockingly irresponsible in how they have handled data and reacted to a breach. Industry insiders tell me that in a typical case for the average-sized company requires only disclosure, an apology and steps to tighten up security.
The new Network and Information Security Directive being drafted largely appears to me to be mirroring the United States' policy of people having the right to know when their data may have been compromised. Disclosure rules, particularly in the UK, tend to be less stringent unless it is proven that someone's data has been stolen.
So the point of all this is that reporting rules are going to become stricter -- and fines, via the DPGR, will rise from tens of thousands to a one million euro punishment or 5% of global annual turnover, whichever is greater. Yes, that's right -- global turnover and 5%. Well, that's the thinking so far -- and I wouldn't be surprised to see that fall a little, but nevertheless, fines will shoot up.
It's interesting because, to come back to the original point. Do you actually know of any brands that have closed because customers walked after a security breach? I'll give you some names that were mentioned as being among those that could find nobody would trust them any longer -- how about Microsoft, eBay and Walmart who are no doubt about to be joined by Carphone Warehouse. Do some extensive searching and there are a couple of companies that people can hold up as being examples of firms that folded after a breach, but they tend to be cloud-based services where the breach closed them down before customers had a chance to walk. The big-name hack attack victims appear to be very much alive and kicking despite the reputation damage -- which, although it was very real at the time, was never truly threatening to close them down.
So as we put that cliche of brands closing after a hack attack to one side, let's consider the real thing marketers need to be aware of -- US-style rules on reporting the chance someone may have been compromised is one thing, the huge implication here is million euro fines or 5% of global turnover as new maximum fines.
I think marketers with a brain have always known to take warnings that the XBox may crumble because of hackers are ludicrous. I'm not so sure anyone would like to dismiss a fine of 5% of global turnover, however.