The rapid development of new powers for the Information Commissioner have been evaluated, with CISOs advised on where they could fall down on the new legal framework.
Commenting on new regulatory powers and the ability to impose a £500,000 fine, Stewart Room, partner of Field Fisher Waterhouse, commented that as a lawyer, he was used to seeing new laws taking a long time. He said that it kicked off 'at lightning speed pace', yet this new legal framework cascaded out of parliament and out of the regulators at 'Olympic pace'.
Delivering a keynote speech at the (ISC)2 conference on 'protecting your data', he said within HMRC there was guidelines on implementing encryption. In March 2008 new guidelines were detailed on data breach handling and disclosure, and within six months of HMRC the government passed the Criminal Justice and Immigration Act.
Room said: “Because it is developing so quickly, it cannot be developed just in parliament, it is being developed in all places where there is a legal right to create law.”
Speaking on the new penalties, he said that the 'regulatory bear market' was at the heart of the legal framework and 'it has a downer on us as controllers of data and as controllers of systems.'
He said: “From the 6th April, the Information Commissioner will have the power to fine organisations £500,000 for bad data handling. In this day and age of bank bailouts, what is £500,000? Let me add a different perspective though, the public penalty will be regarded as a badge or stigma of incompetence in data handling, that is what it will mean.
“If you suffer a security breach in your organisation and you are fined £500,000 you can be sure that there will be dismissals following, that it might be legally significant in another jurisdiction that is even tougher than ours. It may have an effect on share prices, it might have an effect on brand reputation – the point is it is much more than a monetary penalty, it is the stigma, shame or failure in light of all this building that has been going on and all of the warnings that have been given to organisations.”
In order to impose this fine the ICO will have to prove that the breach was deliberate.
“Ask your organisation these questions, does it have the ability to say I told you so? Does it have the evidence or people complaining that not enough was done? Are there reports to the board that have gone un-dealt with? Are there emails from the CISO or IT director bemoaning the lack of investment in this particular area? Are there consultants, or auditors reports with lots of actions,” asked Room.
“If that is the complexion of your organisation, if you have unfulfilled actions that third parties have recommended, if that comes out let me tell you clearly that will be the stuff upon which deliberate failure will be found. If your organisation has that complexion, be very aware of the consequences.”