ITPRO

Printed from www.itpro.co.uk

Register to receive our regular email newsletter at http://www.itpro.co.uk/reg/register.

The newsletter contains links to our latest IT news, product reviews, features and how-to guides, plus special offers and competitions.

Skip to navigation

    Companies face fines of £500,000 for losing data

As of today, the ICO has been granted powers to issue penalties of up to £500,000 for businesses or Government departments found in breach of the Data Protection Act.

By Martin James, 6 Apr 2010 at 10:15

money flying out of a computer
money flying out of a computer gallery

The Information Commissioner's Office (ICO) has been granted new powers by the Government that could see organisations facing fines of up to £500,000 for breaching the Data Protection Act.

The ICO's new powers come into force today, and give the organisation significantly greater muscle in taking on data security breaches. Firms now risk a fine of £500,000 for losing consumer data – equivalent to more than 10 per cent of most small companies' annual turnover, and a figure 100 times higher than the previous maximum penalty the ICO could impose.

The stricter powers are seen as a necessary response to the increase in the incidence of data loss due to negligence across many Government departments in recent years. They will see the ICO able to issue compulsory audit notices to any Government department found in breach of the Data Protection Act.

The severity of the fine will be determined on the basis of the precautions taken by the company or department in question, and the nature of the data security breach.

According to the ICO's guidelines on the Data Protection Act, the most serious fines will occur in cases where the data controller responsible has “seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress”.

The harsher penalties were first recommended in January in an ICO report to Parliament entitled Civil Monetary Penalties – Setting the Maximum Penalty.

At the time, Information Commissioner Christopher Graham warned companies that the tougher fines were a sign that the ICO was taking data security breaches more seriously than ever.

“Getting data protection right has never been more important than it is today. When things go wrong, a security breach can cause real harm and great distress to thousands of people. These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act,” he said, before adding: “I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.”

Web security firm Symantec, meanwhile, has issued a set of guidelines aimed at helping businesses protect confidential data more securely and avoid being on the wrong side of a hefty fine.

Its recommendations include making sure a robust security policy is in place with strict guidelines on how and when data can leave the business premises, protecting all business hardware with the latest security software, ensuring all passwords are as strong as possible, and paying attention to non-electronic security measures such as paper-shredding too.

“The ICO is aiming to give the Data Protection Act ‘teeth’ and is clearly concerned about several high profile cases where unencrypted, confidential data residing on laptops and USB sticks has been lost and stolen,” said Mike Jones, Symantec's principal product marketing manager.

“The impact of the vast majority of these cases could have been easily mitigated or avoided altogether by following security best practice such as protecting data and having clear guidelines in place for how data is used.”

Email to a friend

Print this page

< Previous   Security Breaches : News Next >

Office 365: A complete Guide

2 comments

You need to Login or Register to comment.

A sad day in the history of information security

Resorting to punitive measures, such as fines, represents a sad day in the history of information security. Alas, the repeated examples of lax corporate and public sector security awareness and compliance have made it an unfortunate necessity.

Lax data security processes are not confined to the private sector. TK Maxx, Nationwide Building Society and Cotton Traders are just a few examples of enterprises that have suffered a data loss or theft, but can immediately be matched by failures within the public sector at HM Revenue and Customs, the NHS, the Ministry of Defence, to name just three.

Increased regulation and public expectation over the safety of data poses challenges for the IT department and for those responsible for security policy and training. These challenges are amplified by the real threat of a large fine or other legal sanctions. Some businesses, particularly in vertical sectors such as financial services that are already heavily regulated in relation to data protection, often find themselves struggling to stay on top of the latest regulations and requirements.

Failure to stay on top of these rapidly evolving legal requirements can quickly develop into malaise, and this is where security problems occur. The sizable fines the Information Commissioner’s Office can now impose will hopefully deter organisations of all types from falling behind on data security.

However, if past instances of data loss and theft teach us anything, it is that regulation alone will not solve the problem. Such measures must be aligned with an overall government effort to encourage and build a culture of security best practice and common sense, underpinned by solid technologies that can deliver the level of security required by law and able to cope with emerging threats and the changing ways in which we work.

Stuart Hodkinson, UK general manager, Courion

By Ip_courion3a5e03 on Tuesday Apr 6

0 people out of 0 found this comment useful.

Did you find it useful?

Most Organizations Enjoy "Security" as a Matter of Luck

In David Scott’s words, everyone needs to be a mini-Security Officer in the modern organization today. I think Mr. Scott is right: Most individuals and organizations enjoy Security largely as a matter of luck. Anyone else here reading I.T. WARS? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google IT WARS – check out a couple links down and read the interview with the author David Scott at Boston’s Business Forum. (Full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium). For some free insight, check out his blog, “The Business-Technology Weave” – you can Google to it, or search on the site IT Knowledge Exchange which hosts it. Great stuff.

By Ip_johnfranks999 on Tuesday Apr 6

2 people out of 2 found this comment useful.

Did you find it useful?

    You may also like...

 Sponsored Links

advertisement

    You may also like...

    Latest Security Breaches Analysis & Insight

snooping

Does the government want to snoop on your data?

Does the government really want you to tell them everything? And what are its new communications-watching plans all about? Simon Brew finds out more…



Read more

 

More Security Breaches Analysis & Insight

advertisement

    Most popular

    Register for IT PRO

You'll get exclusive member benefits including free whitepapers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.

Register
Sponsored Links
Advertisement