This week's monetary fines from the Information Commissioner's Office (ICO) should serve as a warning to companies about policy compliance.
Stewart Room, partner at legal firm Field Fisher Waterhouse, claimed that change is occurring and people need to be aware of what the changes are. He said: “Every organisation should have a set of rules for data holding, with regulators firstly looking at paperwork and not at data centre or what is in the cloud, its resources will focus on the easiest way to do their job and looking at paperwork is easier.
“Get your legal department involved in enforcement activity and focus on IT strategy within business and client bases. Until now it is has been based on an undertaking, I have been critical of this because it has been regulation without a legal authority.
“The regulator says the best way to improve performance is get the issue to the board table and you will get awareness of the failure down to the board, if you fail on IT and have directors putting pen to paper saying it will change business.”
Looking at this week's fines against Hertfordshire County Council (HCC) and employment services company A4E, Room said that this tells us about IT failure and in the case of HCC, where it was fined for accidentally sending two faxes with sensitive information to the wrong recipient, this was a routine failure.
Room said: “With the first fines it changes the dynamics, it is now clear that the regulator wants to change technologies. In 2010 there has been an incredible speed of activity and the regulator has proved it is not a shrinking violet, that it is out to prove failure and wants to promote change.
“We are seeing general activities on business being scrutinised, anyone or any business can suffer losses and HCC and A4E will be referred to for years. HCC failed to change business process to prevent it happening again and A4E had a policy on laptops and on encryption, which said that laptops should be encrypted. Despite it, they issued an unencrypted laptop with 24,000 data records on it and they saw a theft occur.
“You have IT solutions with data loss prevention or encryption to prevent these incidents. Encryption is now a mandatory technology with personal and mobile data. Where there is a loss of sensitive data there is a breach of the Data Protection Act and the ICO decided to react with a significant tool in its armoury.”
He went on to claim that the ICO ‘got it spot on' with the amount fined, as it is working in a capped environment and needs to keep enough ammunition in its gun to deal with cases ‘and the ICO is exposing the worst cases'.
“In 2011 we will see ongoing regulation and real-time regulation. This is an immature market for IT security but we are in a privileged time and I know policy makes threats and sees importance of technology and if an IT company can get to the right person we do see clarity emerging,” he said.