A £500,000 penalty has been introduced by the Information Commissioner's Office (ICO) for personal data security breaches.
As revealed by SC Magazine last year, there are plans to increase the punishing powers of the ICO and an announcement revealed that it will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act.
The ICO has produced statutory guidance about how it proposes to use this new power, which has been approved by the Secretary of State for Justice, and was laid before Parliament yesterday.
Information Commissioner Christopher Graham said: “Getting data protection right has never been more important than it is today. As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details.
“When things go wrong, a security breach can cause real harm and great distress to thousands of people. These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act. I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.”
Chris McIntosh, CEO of Stonewood, said: "This decision to grant the right for the ICO to impose penalties of up to half a million pounds for serious breaches of the DPA is great news, as it shows the Government is finally starting to take data loss more seriously.”
However he claimed that there was still a long way to go, as organisations have a duty to protect the data they hold on employees, partners and customers, but it is all too often ignored or not understood.
“In line with stronger punishments for breaches of the DPA, there must also be a stronger message from the Government; businesses have so much bureaucracy and red tape to deal with when it comes to data compliance that it is too confusing to be effective,” said McIntosh.
“Government needs to provide simple, straight forward legislation regarding the protection of personal data through encryption, as it is the only way to make sure that if data is lost or stolen, it cannot be misused if it gets into the wrong hands. Considering it only costs around £200 to encrypt a hard drive and the cost of a breach can now be anything up to half a million pounds in fines alone, it really is in everyone's interest to protect the data that they hold."
Jamie Cowper, director of European marketing at PGP, said that the threat of a half a million pound fine is a powerful motivator.
He said: “The cost of data breaches is already staggeringly high for UK businesses; last year the average breach cost £1.7 million, or £60 for each identity lost. If the ICO's bite turns out to be as big as its bark, this cost could exceed £2 million; a huge expense at a time when businesses and public sector bodies can ill afford to waste money.
“Organisations that want to avoid these massive financial penalties must look to implement watertight data protection strategies, employing proven technologies such as data encryption to ensure that confidential information is locked down. It is only by doing so that companies can be sure that their customers, reputations and profits are protected.”
Simon McDougall, head of privacy and data protection at Deloitte, said: “While the largest fines may only be dealt out to larger firms for serious breaches of the Data Protection Act, all organisations are now faced with a very real threat of significant financial penalties over and above any existing operational clean up costs and reputational damage should they suffer a breach.”