Companies are being warned to tighten up their security systems or risk large fines for data-protection offences. The news comes as information risk management expert Recommind found that fraud losses in the UK are at an all time high.
Following on from a Ministry of Justice consultation paper that ran between 9 November and 21 December, the Information Commissioner’s Office (ICO) has now been given the power to issue large fines for any serious data breaches, after gaining the approval of Secretary of State for Justice, Jack Straw.
It is expected to become law on 6 April, providing there are no parliamentary objections.
Companies that fall foul of the data breach laws now risk a maximum fine of £500,000. It is not clear at this time whether the same principle applies to Government departments that lose sensitive data.
“Getting data protection right has never been more important than it is today. As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details,” said Information Commissioner Christopher Graham. “When things go wrong, a security breach can cause real harm and great distress to thousands of people. These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act.”
“I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act,” he added. “But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.”
The ICO said it will take a “pragmatic and proportionate approach” to fines, taking into account the size and resources of the organisation, as well as the size and severity of a data breach. It will also reduce fines by 20 percent if an organisation pays in full within 28 days.
Fines will go to the government’s consolidated fund.
Meanwhile Recommind is warning UK organisations to prepare themselves for an ending of the last ten years’ lax regulatory environment. The warning came after accounting firm BDO’s report showed how fraud losses in the UK have soared 76 percent to £2.1 billion in 2009.
This, according to Recommind, is the highest total since 2003.
The BDO report also revealed that many newly reported cases involved fraud that actually begun during the economic boom, but is only now being uncovered as companies take a closer look at their revenues and expenses.
“For company directors, the worry in being held to account for all actions of their firms is that there is simply too much data being created today, making it increasingly challenging for them to manage their information risk – specifically to know where information lives, who has access to it, and even what is happening at the ‘worker bee’ level,” said Craig Carpenter, VP and general counsel at Recommind.
“With more stringent punishments coming, companies must regain control of their corporate information systems so that employees cannot easily misuse data or engage in illegal activities that may go unnoticed,” said Carpenter.
“In addition to sound policies and workflows, organisations must deploy technology that can limit access to confidential information based on roles and authorisation levels, as well as provide the ability to audit users’ activities – a process that can not only act as a deterrent, but also safeguard against potential compliance issues,” Carpenter added.