Comment by ziddoap
11 days ago
Nice, thanks for the link!
The largest fine ever issued is about 2% of Oracle's 2024 revenue. If we average the top 5 fines ever issued (this breach surely wont result in the largest GDPR fine ever), it'd be about 1% of Oracle's 2024 revenue. So, between ~3.5 and ~7 days worth of revenue, if we're lucky and get a top 5 GDPR fine?
I'm not sure that is in the "definitely change behavior" area yet (in fact, I'm confident it is not), but better than I thought.
7 days of revenue, 1 whole week out of 52 that all of your workforce production went to pay a fine? Yeah, that's quite noticeable for a corporation.
If this breach receives a fine in the top 5 fines ever issued in the entire history of GDPR enforcement.
Don't forget to subtract out the money they saved from reduced investment in security over that time, as well.
Noticeable? Sure. Nowhere near noticeable enough, though, in my opinion. Especially if we're serious about it and recognize this isn't going to be a top 5 fine.
Presumably if it's due to negligence (ie intentional lack of investment) it will happen again if the underlying issue isn't fixed. So you have to factor that in.
If it happens repeatedly presumably the percentage will go up.
I think the only way this gets written off is if saving the money opens you up to such a low level of additional risk that you don't reasonably expect the event to happen more than once (if ever). But if the risk level is actually that low (I don't believe this to be the case, just playing out a hypothetical here) then arguably they wouldn't be in the wrong.
To put this in regular person terms, 3% of a 6 figure salary is $3k. That's more than enough to get most people's attention.
We rightfully see corporations as amorphous entities but I wouldn't like to be the VP/director that this fine gets blamed on. As probably don't other adjacent management staff.
1 reply →