The Information Commissioner's Office (ICO)has admitted that it is ‘pressing for' custodial sentences for malicious data loss.
Speaking at the Gartner Security and Risk Management Summit in London, David Smith, deputy commissioner and director for data protection at the ICO said that it had powers of criminal prosecution, but they were not its ‘primary way of enforcing the law' as its only power was to fine.
However he said that it was pressing for ‘power of custodial sentence', primarily it would be sentences that were 'punishing for not doing things properly'.
Asked if there was a timeline for custodial sentences to be introduced, Smith said there was not but said it was something the ICO had been pressing for a long time.
“The government have resisted for several reasons, such as they do not believe in creating more and more crimes that can carry prison sentences, also Leveson is looking at this following the actions of journalists, so let's wait for his report,” he said.
“So two things that we are waiting for: the Leveson report and we do have a new Secretary of State for Justice who might have a slightly different take on this. So if you ask me to put some money on it I think we will end up with the possibility of custodial sentences but Leveson will have to report and the government will have to introduce legislation, but I don't think it will be less than 18 months.”
He also said that the sentences will be for malicious breaches where someone has set out to break the law, and not jailing for someone failing while doing their best.
Smith later said that it is not the breach itself that is attracting monetary penalties, but the lack of security behind it, what training staff have had and the way systems have been setup.
He concluded his presentation by saying that the biggest risk now is the human factor, as all breaches it sees have a human failing behind it and organisations do not significantly protect themselves.
“We see complacency coming and the drive for cost savings in public sector has driven security away from this area. Have you ever stopped to think about the risk? The way in which technology developing has very little thought on data protection law and outsourcing and cloud. Also data protection is about security of personal information, and also accuracy and keeping data to a minimum.
“I think the biggest driver is trust, confidence and getting this right, not just in your own business, but with people and trust in getting security right.”