"The ICO's powers to fine organisations up to 500,000 for serious data breaches were intended to act as a strong deterrent to prevent data loss. The industry is now waiting to see when this maximum fine threshold will be levied and the impact this will have.
"Tough measures are clearly needed and the FSA's fine for Zurich Insurance, sent a clear message to other Financial Services organisations that it's never worth the risk to take shortcuts on security given the potential damage that can be done both to a business's brand and to their bottom line. "The value of the fine itself may well have an impact on tightening up an organisation's security measures but protecting customers' data should be the main driver for improving security practices rather than the threat of financial punishment. Richard Walters, chief technology officer (CTO) at security software firm Overtis:
"I believe that we are currently in a period of mentoring, prior to out and out enforcement by the ICO. The ICO is still focused on using notices to encourage organisations to improve their handling of personal data. However, I have no doubt that enforcement is coming, at which time I suspect the fines will also increase. "For the vast majority of small and medium-sized enterprises (SMEs), 500,000 is a significant penalty. It is only for large enterprises - including large banks, building societies and insurance companies - that the ICO fine would not fit the crime.
"At the current limit of 500,000, it is too easy for large organisations to risk the fine rather than to implement strong controls. As with fines against individuals, the ICO fines should be based on a 'means test'."
