Marking six months of increased ICO enforcement, with no fines seen
This week marked six months since the Information Commissioner's Office (ICO) introduced its increased enforcement powers, allowing it to issue a fine of up to £500,000.
Since then we have looked at the possibility and opportunity for the ICO to issue a fine and have wondered why nothing has happened; not a pound coin has ended up in its hands for a 'malicious data breach'.
I have often considered that one of the reasons why the ICO has not issued a fine has been because the losses have mainly been by public sector companies. Its own statistics showed that the NHS was responsible for a third of the first 1,000 losses incurred and to fine a trust would not only involve public money moving from one hand to another, but the ICO does not want the bad press that would go with it fining an NHS trust.
It is not that the ICO has had no opportunities to issue a fine; look at the Zurich Insurance data loss or even the recent ACS:Law breach. In the case of the former, in a conversation with the ICO I asked if it was going to issue a fine, they said that even though it had found Zurich to be in breach of the Data Protection Act back in March this year, a fine would not be issued because it 'used the powers which were available to us at the time'.
Another incident concerned the loss of a laptop by the Yorkshire Building Society, and then an ICO spokesperson told SC Magazine that there were no plans to fine the companies involved, as it reviews every case individually, and that it was not about punishment, it is about helping them take remedial action.
Speaking at the Information Security Europe show in April, the deputy commissioner David Smith said that it was waiting with 'baited breath' for the first of its £500,000 fines to be handed out. Yet almost six months since that keynote was delivered, still nothing.
I turned to the industry to seek opinions on why we had not seen a fine yet. Chris McIntosh, CEO of Stonewood, told SC Magazine that ‘the ICO has had the power to impose large fines for over six months now and people are starting to wonder whether they are ever going to make use of it'.
He told SC Magazine this week that he felt that the ICO has raised awareness of data losses by introducing the new fine. He said: “The public sector in particular is, slowly but surely, encrypting its data in order to comply. We have also seen more interest since the fines were introduced, but there is still often an impression there that encryption is too expensive.
“This suggests that people still aren't taking data loss as a serious threat. That being said, it's been six months and we're still waiting for the ICO to impose a single fine, even though there have certainly been more than enough cases where a fine could have been imposed. This is something the ICO should address.
“This could lead to companies seeing other authorities as more of a threat than the ICO, as they are more known for and thus more likely to impose fines. Keeping that in mind, it's no longer just data security that isn't being taken seriously enough: by continuing down this path, the ICO itself is running the risk of not being taken seriously either. At the moment it is not the ICO that is keeping the standards, but authorities such as the FSA. Personal customer data should be of utmost importance to any company so if it's not the fear of losing their reputation that makes them invest in encryption, it has to be the threat of a significant fine.”
Daniel Axsater, CEO of email services provider CronLab, told SC Magazine that whilst he felt £500,000 indeed is a hefty fine, he assumed that this would only be given out to large corporations who severely breach the guidelines.
“However, this is likely to result in more openness in terms of breaches which in turn will result in even more significant reputational damage; something that is likely to cost companies far more than the fine itself,” he said.
“I do believe that data leakage solutions will come more and more - so far it has only been on the radar screen for very large corporations and companies directly involved in the financial sector. Decisions like these, especially with the openness it results in are however likely to result in more and more companies buying solutions for data leakage to limit these risks.”
Ash Patel, country manager UK & Ireland for Stonesoft, said he thought from what he had seen and heard about data loss that people are capable of evading fines whether they are from the ICO or the FSA. However, as companies are challenged and push out policies when necessary, the level of impact is negligible unless it is enforced.
He said: “Companies are capable when it comes to protecting the network or using data loss prevention, but they are losing data on a CD or a USB and the problem is not with technology, it is within organisations, with employees not understanding the value of data. Where the problem is when the data is not considered, it is seen as just a file with a few names and not as sensitive information.
“There is little knowledge driven on how to teach individuals within an organisation and the problems cannot be solved easily. One way that this can be addressed is within human resources, if an organisation has a written security policy and pushes it on to its employees and makes sure that they understand it and if an error occurs and someone loses data on an unencrypted USB stick when they had the ability to encrypt it on their desktop, it is an HR issue and that person should be dismissed.
“If you left a safe door open within an office you would be sacked the next day, so why is this different? People are not cracking down on it and they need to.”
Perhaps it could be argued that there has been success in highlighting the issue of data loss and this effort has given the ICO the capability to work with organisations in both the prevention and problem of data loss.
Francis deSouza, senior vice president of the enterprise security group at Symantec, said that he felt that the ICO plays a vital role in the protection of information and in alerting the public to the breaches.
He said: “This serves two purposes in our minds: one is that it lets the public know about what is happening; and secondly it lets organisations know that they are being tracked and breaches are being noticed and that there are consequences, even if the consequences are not fines, there are reputational consequences associated with the breach, and that alone is an important capability.
“Having said that, we think that the ICO has the authority to levy fines and it is inevitable that at some point they will when a breach occurs that crosses the line for that.”
Much like a child fearing parental punishment, the ICO has used its regulatory power to ensure that companies are aware of its increased enforcement powers and with that it may be the case that businesses have upped their game.
Then again until a fine is issued, it may be seen as an empty threat and companies may think that they can get away with signing an undertaking.