Information Commissioner introduces £500,000 fines for data breaches
From today, a deliberate or malicious data breach can be punished with a fine of up to £500,000.
As announced by the Information Commissioner's Office (ICO) in January, a penalty of up to £500,000 can now be imposed for breaching the Data Protection Act.
It said in its guide to data protection that it has ‘a statutory power to impose a financial penalty on an organisation if the Information Commissioner is satisfied that there has been a serious breach of one or more of the data protection principles by the organisation, and the breach was likely to cause substantial damage or distress'.
Speaking to SC Magazine last year, former Information Commissioner Richard Thomas said that ‘most insider incidents are accidental, but the damage can be very severe, with damage to the people whose data is compromised and to the company, leading to big fines, cost, reputational and share price damage all showing why it needs to be taken seriously'.
He also said that in the last couple of years of his time as the Commissioner, he had persuaded the government to increase the standing, power and resources of the office and this had led to the introduction of increased fines.
Speaking about the introduction of the fines, Richard Turner, chief executive at Clearswift, said: “Organisations can no longer ignore the seriousness of corporate data breaches and not complying with the Data Protection Act. The loss of personal data or any data that organisations deem invaluable is unacceptable mainly because it is all preventable.
“The term ‘accidental' is often used by organisations to highlight why things have gone wrong – but this just means that the data security policy was not defined, not shared or not enforced. Companies can avoid attempted data breaches with web and email security solutions which are automated, ensure consistent management and monitoring of communication flows as well as an ability to report on violations with roles-based access and audit logs which comply with process requirements.
“At Clearswift we firmly believe that it is time for the IT security industry to take more active steps to lead the education of data users on acceptable use and enforcing the standards that we all require. This does not mean stopping and blocking businesses from functioning it means understanding how an organisation works with and needs information, then ensuring that it can be accessed and protected in equal measures.”
Amichai Shulman, chief technology officer at Imperva, commented on the guidance which states that penalties will be incurred where the ‘data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress'.
He said: “The crucial wording in the guidance notes is that `the data controller must have known - or ought to have known - that there was a risk that a contravention would occur'.
“The problem is the emphasis on being honest upon discovery of a breach which could actually encourage organisations to have lax protection policies and robust CYA policies. Penalties may be necessary but governments should try to be on the constructive side and focus regulations on the protection side rather than on the disclosure side."
Jamie Cowper, European marketing director at PGP, welcomed the fines as for too long organisations have continued to ignore the warning signs – risking both the privacy of their customers and the reputations of their brands.
He said: “2010 has seen no departure from this trend – just last week Stoke-on-Trent City Council lost an unencrypted USB stick containing social services records. The addition of a £500,000 fine, on top of the overall cost of a data breach – which last year averaged £1.68 million per company – should in theory provide enough of a financial deterrent for organisations reluctant to invest in their security strategies.
“However, as 70 per cent of UK organisations suffered a data breach just last year, it is clear that the ICO is going to have to couple this new policy with a fresh awareness campaign if organisations are to truly recognise the financial sense of investing in proven technologies, such as encryption.
“Organisations would be well advised to act sooner rather than later, otherwise they may face the daunting prospect of being the first to suffer punishment from an ICO eager to demonstrate its new powers.”
Peter Gooch from Deloitte's privacy team believed that while the largest fines may only be dealt out to larger companies for serious breaches of the Data Protection Act, all organisations are now faced with a very real threat of significant financial penalties over and above any existing operational clean up costs and reputational damage should they suffer a breach.
He said: “What this means in practice is that the ICO now has a bigger stick to wield. The ICO will have a wide scope of interpretation when applying its new regime, as the fines can be levied for breaches of principles, rather than against the underlying detailed legal requirements. The first few fines the ICO levies will therefore set the tone going forward.”