😖 The Pain of Post-Breach Penalties

Hello all, and happy Thursday! 

When communicating with non-privacy professionals about what Osano does, I often have to clarify the distinction between data privacy and data security. (I’m sure plenty of privacy pros can empathize.) In fact, this happens so often that I sometimes forget the opposite problem exists: Plenty of people underemphasize the relationship between data security and privacy. 

The UK’s Information Commissioner’s Office’s (ICO’s) recent fine against Capita, an outsourcing firm, brought this fact to mind. In 2023, Capita suffered a breach in which 6.6 million people’s data was stolen, and they subsequently received a £14m fine.  

In some respects, financial penalties levied against the victims of a cyberattack can be seen as rubbing salt in the wound—after all, a cyberattack already costs a great deal of money in cleanup and reputational costs. You have to wonder: Do regulators almost automatically apply non-compliance fines against companies that suffer a breach regardless of their security measures’ quality? Or do regulators carefully assess whether lackluster security played a significant role in the cyberattack? 

In this case, the UK ICO did a good job of explaining what specific security failures enabled the attack to take place. It’s a good reminder that robust organizational and technical security measures are part of protecting people’s privacy too. 

Best, 

Arlo 

Highlights From Osano

Events

Event: P.S.R. 

Come by booth 400 at this year’s Privacy. Security. Risk (P.S.R.) conference! Not only will your favorite privacy vendor be in attendance, but you’ll also have the opportunity to schedule a one-on-one strategy chat with our privacy experts, enjoy a(n awkward family) photo-worthy Osanoverse experience, and more. 

Schedule time at the booth | October 28-31 | San Diego, CA

Meetup: AI, IRL: Hexes and Hallucinations 

It’s already in your stack, your prompts, your daily life…and sometimes it can haunt instead of help. Join us this spooky season as we yap AI terror tales! Seats are limited for this meetup, so grab yours today! 

Register today | October 22nd | 1-3 PM EST 

Top Privacy Stories of the Week

UK Fines Outsourcing Firm Capita £14 Million for Data Breach Affecting Over 6 Million People 
The UK’s Information Commissioner’s Office (ICO) has issued a fine of £14 million to Capita for failing to ensure the security of personal data related to a breach in 2023 that saw hackers steal millions of people’s information. The personal information of 6.6 million people was stolen, from pension records and staff records to the details of the customers of Capita’s clients. For some people, this included sensitive information such as details of criminal records, financial data, or special category data. 

Read more 

EU Delays 'Chat Control' Law Over Privacy Concerns 
Last week, Germany said it would vote against Chat Control, a contentious EU measure designed to protect children online. The country’s leaders argued that it could be abused to monitor all citizens’ private chats. Since Berlin has the swing vote, the move to postpone the vote and remove it from this week’s agenda, which was scheduled October 14th, isn’t exactly surprising. This won't be the first time that the Chat Control bill has been shot down, and it likely won’t be the last. 

Read more 

Britain Issues First Online Safety Act Fine to US Website 4chan  

Ofcom, the British communications regulator, announced recently that it had issued imageboard 4chan a £20,000 ($26,000) fine for noncompliance with the Online Safety Act. The fine was issued after 4chan failed to respond to Ofcom's request for a copy of its illegal harms risk assessment and a second request relating to its qualifying worldwide. The fine amount will increase by £100 ($133) per day from Tuesday, and if ignored, could see British ISPs block the site. 

Read more 

California Expands Privacy Protections as Democratic-Led States Resist Trump’s Immigration Agenda 
Immigrants comprise a significant portion of California’s urban sidewalk vendors. Some have been swept up in immigration enforcement actions, in part, because their outdoor work in public places makes them easier targets than people behind closed doors. A new law signed by Governor Gavin Newsom prohibits local governments from inquiring about vendors’ immigration status, requiring fingerprinting or disclosing personal information—name, address, birth date, social media identifiers and telephone, driver’s license and Social Security numbers, among other things—without a judicial subpoena. 

Read more 

EU Biometric Border Checks Begin for Non-EU Travelers 
Europe’s long-delayed Entry/Exit System (EES) officially starts rolling out October 12, marking a major change in how non-EU travelers enter and leave the Schengen Area. The system now requires all non-EU visitors to register their fingerprints and facial images when crossing into Europe’s passport-free zone. While privacy groups have voiced concerns about biometric surveillance, the EU maintained that the system fully follows data protection laws. 

Read more 

Like what you hear from the Privacy Insider newsletter?

There's more to explore:

🎙️The Privacy Insider Podcast

We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.

📖 The Privacy Insider: How to Embrace Data Privacy and Join the Next Wave of Trusted Brands

The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.

If you’re interested in working at Osano, check out our Careers page!