Why similar data breaches are not created equal

Data Breach. Two words which unite everyone from regulators, senior management, Data Protection Officers, Information Security practitioners and individuals creating both a sense of fear and a pressing need for an immediate response. Data breaches currently make headlines on a near weekly basis. And yet, similar data breaches do not yield similar outcomes when it comes to regulatory enforcement, fines, nor reputational damage.

Even within regions, where on the surface the same data protection laws apply, such as across the European Economic Area (EEA) with GDPR, a nearly identical data breach in Spain and Ireland would often not lead to the same result. Why? To answer this, let us consider five key differentiating factors which cause similar data breaches worldwide to result in vastly different outcomes.

It may seem obvious, but the exact same data breach impacting data subjects in India, (where there is not yet a functioning national data protection regulator) and South Africa, (where there is a national data protection regulator), will generate different regulatory responses. At the same time, it is important not to discount sectoral regulators in this scenario. In many instances, these regulators, and in particular those from the FS insurance sectors, have developed specific enforcement plans for their respective industries in the absence of a national regulator.

2. Regulatory focus

What regulators choose to focus on matters. Post Brexit, the UK Information Commissioner’s Office (ICO) has chosen to tread lightly in areas of enforcement [1]. This is particularly true for nationally important industries that support UK employment as well as for government entities. The ICO’s thinking here appears to be that fining local councils or other government agencies for data breaches worsens said entities’ financial situation leading to potential job losses, and may impair the entities’ ability to invest in data protection going forward. From the UK National Health Service (NHS) to local councils, many and strong cautions have been issued[2] in recent years, ostensibly to avoid hurting the public purse and to preserve employment.

This does not mean that an NHS hospital or UK local council will not get fined for a data breach that the French regulator, Commission nationale de l’informatique et des libertés (CNIL) would issue a fine for. However, it does show how a data protection regulator’s starting assumptions as to how they should interact with business and government matter at a country-by-country level.

A stark example of how much regulator focus matters came into play with Facebook and Cambridge Analytica’s 2018 data breach and associated fines. Comparing this data breach across the globe, a token £500k fine (token for Facebook) was issued in the UK versus a $5 billion fine in the US, with no direct punitive action in much of Asia Pacific. This underscores the uneven global regulatory landscape at the time as to which regulators chose to focus on fining big tech, and those that chose to use this incident as galvanisation for stronger data protection laws in their regions (the latter of which was a focus in the Asia Pacific region)[3].

How national and sectoral regulators choose to cooperate is also a significant factor in how data breach responses may differ across countries. In the United Kingdom for example, the Financial Conduct Authority (FCA), as the financial services regulator, cooperates and can jointly bring actions against a regulated financial services firm that causes a data breach. The FCA’s ability to shut down a financial services firm rather than simply impose a fine, as with the ICO, creates a greater existential threat to a regulated firm, which is obligated to respond during an investigation or data breach.

In a country where co-enforcement does not exist or does not yet exist, it is rare for a data protection fine to be an existential threat to the entity. Should the same data breach for example occur in both the United Kingdom and Barbados, (where there is currently no regulatory co-enforcement), the response and effectiveness of said enforcement will differ both in size and scope.

The timing of a data breach matters more than one would think. In the UK in 2019, Marriott Hotels and Resorts was fined £99 million and British Airways £183 million for large scale data breaches. With the COVID-19 pandemic occurring less than one year later, and with the travel industry being particularly impacted and struggling financially, the ICO in 2020, reduced the fines for British Airways to £20 million and for Marriott International to £18.4 million. These fines were significantly reduced from the amounts initially proposed, with the ICO citing various factors including the economic impact of the pandemic[4].

Another interesting example, where timing matters relates to BioMedical Laboratories’ data breach in late 2024/ early 2025 in Jamaica. Jamaica’s Office of the Information Commissioner (OIC) noted that not having have sanction and enforcement powers[5], limited its ability to respond to a breach of the magnitude of BioMedical Laboratories.

It should come as no surprise that the same data breach in a more litigious country comes with greater risk and higher penalties when compared to a country without such litigiousness. Taking the Marriott data beach in 2019 as an example (see Timing section above), the UK fined Marriott £18.4 million. In the US, while Marriott paid $52 million to settle lawsuits across multiple states, the company additionally agreed to settle multiple class action lawsuits which added significantly to the cost of this data breach.

This instance highlights the US approach to data protection, which is combined government enforcement with private litigation. Multiple state and federal authorities delivered a large penalty overall, which was roughly $0.15 per affected person. This approach to litigation highlights the differing philosophy from a revenue-based fine calculation as applied across Europe with the GDPR[6].

Of note in the previous example is that the above factors do not only occur in isolation. In the case of the US response to Marriott’s data breach, four of the five above factors all came into play (all except for regulatory co-enforcement).

While it should not be surprising that the same or similar data breaches lead to different outcomes across regions, the regional disparity can generally be accounted for by one or more of the above five factors. Only through understanding these factors, and how they may interact for a data controller’s respective region(s) can an entity hope to adequately manage its data protection risk.

[1] https://www.openrightsgroup.org/publications/briefing-the-ico-isnt-working.

[2] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/12/ico-2024-a-year-in-review/

[3] https://news.sophos.com/en-us/2019/07/16/5b-privacy-fine-against-facebook-seen-as-chump-change/

[4] https://www.macfarlanes.com/what-we-think/2020/lessons-from-the-ico-s-decisions-to-reduce-the-ba-and-marriott-gdpr-fines/

[5] https://radiojamaicanewsonline.com/local/oic-concerned-about-data-breaches

[6] https://apnews.com/article/marriott-data-breach-settlement-97534838b650bfc7a9e73a5336b2988e