This decision follows others where the Litigation Chamber considered cybersecurity failures as a factor among others (see e.g. decision of 22 January 2021), and it should serve as a signal for other organisations: all controllers and processors must ensure that the technical and organisational measures they have taken to keep personal data secure are appropriate. Otherwise, the bill could be magnitudes higher than the cost of implementing such measures. Fines across the European Union and in the United Kingdom for cybersecurity failures are often in the hundreds of thousands or even millions of Euros, with the more limited ones (such as this one, at 100,000 EUR) often linked to what could be viewed as limited cybersecurity failings – or a limited number of known affected data subjects. If an organisation fails massively at cybersecurity, a massive fine may be forthcoming.
Put differently, cybersecurity is not a sunk cost – it is a good and necessary investment. It is a crucial safeguard for the business, a sales argument as well in many cases but also a great way to limit the cost of (inevitable) incidents and to mitigate fines for inadequate measures.
Read here the analysis by our Data & Cy