European financial institutions could face fines totalling €4.7 billion in the first three years under the new General Data Protection Regulation (GDPR), according to a study by Consult Hyperion.
The report, commissioned by security outfit AllClear ID, estimates that financial institutions may experience 384 data breaches during the timeframe, with fines as high as €260m per breach.
The figures were compiled from an analysis of historic data breach figures, adjusted for the size of financial institution. GDPR sanction levels were then applied to the data. It was assumed that breaches were at the lower end of the GDPR fine scale, which is €10m or 2% of global annual turnover.
Consult Hyperion stresses that the €4.7 billion figure is a conservative forecast, as it excludes compensation claims, costs associated with lost customers, damaged reputations and senior executive resignations.
“The highest risk item in the GDPR is the 72-hour breach notification requirement, and banks are not mitigating this,” says Tim Richards, principal consultant, Consult Hyperion. “Data breaches are an unfortunate fact of life for financial institutions, and our analysis suggests that there have been no fewer than 27 data breach incidents among European Tier 1 banks in the last decade, with some banks as multiple offenders, potentially liable for fines at the 4% level. This indicates an 8% chance that any Tier 1 bank will suffer a data breach in any given year.”
He says that new European regulations such as PSD2, ePR and AMLD4/5 are likely to compound the issue by opening additional liabilities.
With less than a year before GDPR goes live the report advises banks to take urgent action by drafting in the expertise to deal with breach-specific issues and to handle the volume of queries generated when data loss is publicised.