Companies are being warned to tighten up their security systems or risk large fines for data-protection offences. The news comes as information risk management expert Recommind found that fraud losses in the UK are at an all time high.
Following on from a Ministry of Justice consultation paper that ran between 9 November and 21 December, the Information Commissioner’s Office (ICO) has now been given the power to issue large fines for any serious data breaches, after gaining the approval of Secretary of State for Justice, Jack Straw.
It is expected to become law on 6 April, providing there are no parliamentary objections.
Companies that fall foul of the data breach laws now risk a maximum fine of £500,000. It is not clear at this time whether the same principle applies to Government departments that lose sensitive data.
“Getting data protection right has never been more important than it is today. As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details,” said Information Commissioner Christopher Graham. “When things go wrong, a security breach can cause real harm and great distress to thousands of people. These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act.”
“I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act,” he added. “But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.”
The ICO said it will take a “pragmatic and proportionate approach” to fines, taking into account the size and resources of the organisation, as well as the size and severity of a data breach. It will also reduce fines by 20 percent if an organisation pays in full within 28 days.
Fines will go to the government’s consolidated fund.
Meanwhile Recommind is warning UK organisations to prepare themselves for an ending of the last ten years’ lax regulatory environment. The warning came after accounting firm BDO’s report showed how fraud losses in the UK have soared 76 percent to £2.1 billion in 2009.
This, according to Recommind, is the highest total since 2003.
The BDO report also revealed that many newly reported cases involved fraud that actually begun during the economic boom, but is only now being uncovered as companies take a closer look at their revenues and expenses.
“For company directors, the worry in being held to account for all actions of their firms is that there is simply too much data being created today, making it increasingly challenging for them to manage their information risk – specifically to know where information lives, who has access to it, and even what is happening at the ‘worker bee’ level,” said Craig Carpenter, VP and general counsel at Recommind.
“With more stringent punishments coming, companies must regain control of their corporate information systems so that employees cannot easily misuse data or engage in illegal activities that may go unnoticed,” said Carpenter.
“In addition to sound policies and workflows, organisations must deploy technology that can limit access to confidential information based on roles and authorisation levels, as well as provide the ability to audit users’ activities – a process that can not only act as a deterrent, but also safeguard against potential compliance issues,” Carpenter added.
Oracle's huge AI, Cloud investment in Japan will meet growing local demand and address digital…
People who create sexually explicit ‘deepfakes’ of adults will face prosecution under a new law…
Protest at cloud contract with Israel results in staff firings, in addition to layoffs of…
Microsoft warns of Russian influence campaigns have begun targetting upcoming US election, albeit at a…
Microsoft to avoid an EU investigation into its $13 billion investment in OpenAI, after EC…
As President Biden 'considers' request to drop Julian Assange extradition, US provides assurances to prevent…
View Comments
Resorting to punitive measures, such as fines, represents a sad day in the history of information security. Alas, the repeated examples of lax corporate and public sector security awareness and compliance have made it an unfortunate necessity.
Lax data security processes are not confined to the private sector. TK Maxx, Nationwide Building Society and Cotton Traders are just a few examples of enterprises that have suffered a data loss or theft, but can immediately be matched by failures within the public sector at HM Revenue and Customs, the NHS, the Ministry of Defence, to name just three.
Increased regulation and public expectation over the safety of data poses challenges for the IT department and for those responsible for security policy and training. These challenges are amplified by the real threat of a large fine or other legal sanctions. Some businesses, particularly in vertical sectors such as financial services that are already heavily regulated in relation to data protection, often find themselves struggling to stay on top of the latest regulations and requirements.
Failure to stay on top of these rapidly evolving legal requirements can quickly develop into malaise, and this is where security problems occur. The sizable fines the Information Commissioner's Office can now impose will hopefully deter organisations of all types from falling behind on data security.
However, if past instances of data loss and theft teach us anything, it is that regulation alone will not solve the problem. Such measures must be aligned with an overall government effort to encourage and build a culture of security best practice and common sense, underpinned by solid technologies that can deliver the level of security required by law and able to cope with emerging threats and the changing ways in which we work.