Two months of increased enforcement by the Information Commissioner's Office but why are we yet to see the first fine?

Opinion by Dan Raywood

Sunday marked two months since the introduction of increased fines by the Information Commissioner's Office (ICO).

Sunday marked two months since the introduction of increased fines by the Information Commissioner's Office (ICO).

Since 6th April this year, the ICO enforcement power has increased significantly with the ability to enforce £500,000 fines for data loss, yet it could be claimed that one of the major problems is that recorded data losses since then have mainly been in the public, rather than private sector. But it could be argued that while no fines have been issued, awareness has been raised within businesses.

Dave Tripier, chief marketing officer for IronKey, claimed that with most breaches due to lost or stolen devices, surely now is the time for businesses to take the initiative and avoid the wrath of the ICO.

He said that the new measures have left many organisations frustrated, claiming guidelines are vague and it is just another revenue opportunity for the government, but said that ‘energy and attention are being focused incorrectly'.

He said: “Obviously the fact that the commissioner has the ability to decide the level of fine - depending on the size and financial means of the organisation and the severity of the breach – is a major concern. But, how can the the government, or for that matter business, look over 1,000 data breaches and not take action?

“For any organisation to run efficiently – whether it comes to data protection, worker productivity, or staying within budget – it must have a clear picture of how employees are accessing and storing data. With all risk management metrics indicating a breach will occur, the new consequences of a data breach provide the business justification to reassess the measures they currently have in place and set the correct policies internally. Ignoring the facts or opting for a cheaper IT security option won't work much longer.”

In recent weeks, the authority of the ICO has been tested after it announced that the amount of reported breaches has topped 1,000 – with 305 of those reported by the NHS alone.

Proofpoint recently conducted a survey at Infosecurity Europe that revealed that 93 per cent of security professionals are still concerned about private information leaking via email within an organisation, and over half are still not encrypting data at all.

The survey also found that around half of businesses (49 per cent) have deployed some kind of email encryption system, and a further 21 per cent intend to implement one in the future.

Ken Yearwood, director NEMEA at Proofpoint, said: “Enterprises have a pressing need to adhere to regulations that require special handling of sensitive information in emails, and require automatic methods for ensuring compliance.

“Businesses are increasingly turning to data loss prevention, email encryption, compliance and eDiscovery solutions in a bid to meet these increasingly complex data privacy requirements and ensure their own peace of mind when it comes to the security of the information held in email communications.”

Speaking at Infosecurity Europe, deputy commissioner at the ICO, David Smith, said that it was ‘waiting with baited breath for the first of its £500,000 fines to be handed out'.

However since 6th April, West Berkshire Council, Lampeter Medical Practice and Gwent Police have all reported data losses. Could it be that enforcement against these public sector organisations would only be taxpayer's money moving from one end to another, and hardly likely to drive the fear of the regulator into private industry?

A survey by Cyber-Ark discovered that 19 per cent of companies are still using couriers to send large or sensitive files, the insecure transfer method utilised originally by HMRC that left a disk containing child benefit information missing in London.

The survey showed that some of the lessons had been leanrt, with 82 per cent of companies now having systems in place to allow them to transfer data, while the amount of companies using email to transfer files has decreased from 35 per cent to 16 per cent in two years, while there has been an increase in the adoption of secure email to 42 per cent.

So is there a concerted effort to be more efficient and secure when sending and transferring documents and data? Mark Fullbrook, UK director for Cyber-Ark, said: “With FTP, and even encrypted FTP sessions, the problem arises after data has moved while it sits on the FTP or SFTP server in plain text. The nature of the beast means the service is directly connected to the internet leaving it open to violation and as there is no audit trail; there is no record of who accessed the files.

“More alarmingly is those organisations that are using a web-based offering – they may just as well stand on a street corner and give away their information as these services just weren't designed with sensitive corporate data in mind.”

Speaking to SC, Kevin Bocek, director of product marketing at IronKey, claimed that the government has shown restraint and wants to work with the industry, but a loss of a device does not have to lead to a breach.

Asked if the regulations were not clear, Bocek said: “By design the ICO wants to work with industry and be fair, and new regulation is clear on guidance so this is all the more why its wants to test the water. All sorts of large businesses are coping and are storing large data.”

Asked if a fine could send a business under, Bocek said: “There is a possibility that £50,000 could be significant even for a local authority or mid-sized business, so now it is up to them to make the business case for senior management. How many laptops, USBs does a business lose each year? Take this opportunity to make a request for a budget to prevent data loss.”

Tripier also commented that ‘the threat of a fine and consequences of a breach are naturally not going to make employees think or act differently in terms of data security'. The reality of the situation is employees have more opportunities than ever before for human error to result in data loss or a breach.

While a data loss and fine is unlikely to impact most employees, and comments have been made that fines will be absorbed by large organisations, I am reminded by a survey by BlockMaster, which found on the 6th April that just under half of city employees believe a data breach would result in a fine of less than £10,000.

Two months on little seems to have changed with the increased ICO enforcement, but it can change very quickly and that significant data loss could be about to happen.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events