Commenting on news that firms could face fines of up to £17m or 4 percent of global turnover if they fail to protect themselves against cyber attacks. Comment Joe Hancock, Cyber Security Lead at Mishcon de Reya.

The continued high profile of this bill again underlines how crucial cyber security is when it comes to the protection of data. As well as protecting data from hackers, or from simply being lost by staff, companies must notify individuals when their data is lost or stolen within 72 hours if the loss poses a serious risk to them.

“The fines for data breaches under the new laws will be greatly increased from a maximum of £500k today, to up to £17m or 4 percent of global revenues. These are huge numbers and not to be taken lightly, however it is unlikely that these penalties will be widespread given the sheer number of organisations the bill applies too and the historic lack of heavy enforcement action for all but the worst offenders.

“The bill also introduces new criminal offences, for identifying individuals from anonymised data and also for modifying records to avoid disclosure. These offences really hammer home the level of potential enforcement the Information Commissioners Office (ICO) can bring to bear, and may signal a more strict enforcement regime.

“Businesses now need to be prepared to both protect data and to respond when the worst happens. 72 hours is not long and a badly-worded, ill thought-out notification could cause significant reputational damage and the loss of customers.”