So after a near eight-month wait for the Information Commissioner's Office (ICO) to take action we finally got some this week.
Talking to Stewart Room, partner at legal firm Field Fisher Waterhouse, after the incident, he said it was not clear how the fines had been calculated yet he welcome the amount fined for not being the maximum capped £500,000 amount.
From my conversations around this with various people, it seems that there is a clear trend to define what led to the fines being issued: that Hertfordshire County Council (HCC) was an employee error, while A4E was down to a lost device that was unencrypted.
Gartner research director Robin Wilton claimed that in each case, there was something characteristic about the kind of data compromised: not just personally identifiable information, but in one instance, data about a child sex abuse case which was before the courts, and in the other instance, data about alleged criminal activities of the individuals concerned.
Among the industry there was a generally welcoming perspective on this news. Chris McIntosh, CEO of Stonewood, said that while the £60,000 for A4E may seem large, it is still a tiny fraction of what most companies might expect to pay and could even be less than the cost of actually encrypting a large number of devices.
He said: “£60,000 might seem like a large amount yet it amounts to less than £2.50 per lost item of data. At the same time, for most large organisations, £60,000 will be a drop in the ocean. It is a welcome sight to see the ICO finally lay its cards on the line and issue fines for losing unencrypted data but it will be interesting to see where it goes from here.
“Is £2.50 the going rate for personal data that can destroy an individual's life, or will fines be set to reflect the severity of the loss, the sensitivity of the information and the size of the organisation at fault?”
Jamie Cowper, data protection specialist at Symantec, welcomed the ICO for giving the Data Protection Act ‘teeth' and showing that its ‘bite lives up to its bark'. “The fines issued today demonstrate the importance of protecting data and of having clear guidelines in place to determine how sensitive information is used,” he said.
“For a data breach to attract a monetary penalty, the ICO must be satisfied that a serious breach is likely to cause ‘damage or distress' and that it was either ‘deliberate' or ‘negligent' and that the organisation ‘failed to take reasonable steps to prevent it'. This further highlights how information, which has become the lifeblood of organisations, must be managed appropriately.”
Richard Turner, chief executive of Clearswift, said that the news highlights the fact that data security is far more complex in today's business environments where a wide range of communication channels are in use.
“Organisations need to realise that, in conjunction with security technology, their staff can be a powerful additional protector of data security. For data security policies to be really effective, employees need to understand what the parameters are and more importantly why they are there,” he said.
“Otherwise ‘accidents' happen when they try to find a way to get around them. Education and explanation of web and email policies means that people can actively take on board the risks and adapt their behaviour in the long-term.”
A survey issued this week by LogRhythm showed that the British public wants tougher regulations to help safeguard sensitive data, as it found that 80 per cent of UK consumers felt that companies should be subjected to a US-style breach disclosure law, forcing them to publicly declare data loss incidents.
Ross Brewer, vice president and managing director of international markets for EMEA at LogRhythm, said: “This lack of public confidence is something that businesses and the Government need to address fast. Our findings show that when people hear about the loss of confidential information they will actively avoid the organisations involved: 66 per cent stated they would try to avoid future interactions, while 17 per cent were adamant they definitely would not have anything more to do with the guilty party. The message to organisations could not be clearer: those taking a lax approach to data security will not just lose face, they will also lose customers.”
So perhaps one of the major stories here is that a public sector body was fined, something that had seemed unlikely, as undertakings have already been signed by county councils and NHS trusts after multiple data losses but they were not fined.
Wilton said: “There is always the argument that fining a public sector body not only costs the tax payer, it also potentially takes away funds which the organisation might otherwise have been able to apply to fixing the problem. I talked to the former Commissioner, Richard Thomas, about that once; not surprisingly, his preferred solution was that any fines levied (on public sector bodies in particular) should be ploughed back into the ICO itself. However, I don't think he got his way, and as far as I know the funds go into the central government pot managed by the Treasury.
“There are clearly some delicate balancing acts to be done here, for instance should public sector offenders be fined less than commercial organisations or should they be fined more to make up for the fact that they have less to lose from damage to their reputation?”
Murray Pearce, director of Vigil Software, agreed, saying that the fine issued to a local authority sends a clear message that data breaches in the public and private sectors are to be viewed on an equal footing.
“This also tells us that, even with the budget constraints that the public sector spending review has brought, information security is a priority that they cannot afford to ignore. The debate will continue on the long term consequences of these colossal fines, but this is a clear warning that failure to follow data protection requirements could not only mean loss of reputation but could also have serious financial implications,” he said.
Also, Christopher Jenkins, security director of Dimension Data UK, commented that the fines send ‘a powerful message to businesses of all sizes that they must act now to ensure their data and IT security measures are adequate'.
He said: “Today many organisations will be reflecting on what might happen if one of their unencrypted laptops, smartphones or USB sticks went missing and will no doubt appreciate how easily such an incident can take place. With these two highly public cases, businesses that have paid scant attention to IT security now have the motivation and proof needed to remove it from the ‘nice to have' basket and avoid the embarrassing risk of a substantial fine and reputational damage.”
Security breaches will continue to happen but hopefully these fines will convince organisations that they need to lift their game and reduce the damage that data losses cause to their customers and stakeholders, and themselves. We fear, however, that it may take more fines and more damaged reputations before organisations truly realise that, no matter what their size, they are not immune from data loss.”
The stories and comment around this news will likely continue for weeks and years to come, as Room said to me ‘this will be used in research and presentations as a benchmark'. I felt that the news would never come, certainly not this year anyway and while I anticipate that it may be some time before another fine announcement is made by the ICO, there will remain ample opportunity for it to issue another.