Recently, plenty of news on fines imposed due to information security incidents have been published. Let’s have a look at a few significant cases, which took place lately.  

The most noticeable is the case with T-Mobile. In 2021 the company experienced a data breach that impacted approximately 76.6 million users in the USA. The exposed data includes social security numbers, names, addresses, and driver's license information. In order to settle a class-action lawsuit the company agreed to pay $500 mn. The expenditures will be spread the following way: $350 million will be put into a settlement fund and then allocated among lawyers, fees, and the affected. The remaining $150 million will be invested in the "data security and related technology" during 2022 and 2023.

The second remarkable incident is connected with Uber. The problem dates back to 2016, when the company experienced a significant data breach. As a part of non-prosecution agreement Uber officials admitted the fact of its directors, officers, employees and agents concealing a data breach in 2016 from the Federal Trade Commission (“FTC”).  As it was revealed, intruders copied large amount of data on Uber’s users and drivers. They used stolen credentials to access a private source code repository and obtain a private access key. This leakage contains data pertaining to approximately 57 million user records with 600,000 drivers’ license numbers. According to the statement, Uber agrees to “pay $148 million and to implement a corporate integrity program, specific data security safeguards, and incident response and data breach notification plans, along with biennial assessments”. 

The Croatian DPA has fined a telecommunications company with EUR 285,000. In this particular case the company, again, had suffered a data breach. Intruders obtained data from about 100,000 data subjects. According to the DPA investigation, the breach occurred due to the “company’s failure to implement adequate technical and organizational security measures for the processing of personal data” such as lack of access restrictions for processing systems. 

These events are quite remarkable links of a large chain of fines. We’re witnessing a significant change in the legislation pertaining to information security. Firstly, the number of legal acts and various  standards in the sphere of information security, which come into force around the globe is growing steadily. Next, there is a step change in the amount of cases, when a data operator is charged with a  fine. These trends should result into improvement of the situation in the information security sphere and reduction of data leaks.  All companies and organizations should be ready to face the  prosecution in the form of a large fine in case they can’t ensure the safety of data keeping and processing.