Infosec 2010: Data Watchdog Pushes For Prison Sentences

The Information Commissioner’s Office (ICO) has claimed that new powers mean it is no longer a “toothless tiger”, and is pushing for prison sentences to be introduced for professional data thieves.

Infosec 2010

Speaking on the first day of the Infosecurity Europe conference in London on Tuesday, David Smith, ICO deputy commissioner, said that although the organisation had been granted new powers recently, it was keen for persistent and professional data thieves to be punished with jail sentences.

Smith identified groups including private investigators and internal employees who sell company data as targets for prison time. “Those who con information out of you, who work for you and/or sell information on the black market … all these are are criminal offences already but we argue they should be prison offences,” said Smith.

The ICO recently took part in a government consultation on the issue of prison sentences but said that the issue would have to be resolved by the new government.

“The government consulted us on this. That consultation finished in January and the government is still analysing the response to that consultation. Nothing will happen before the election and we will wait and see what happens,” he said.

No New Prisons

However, the ICO’s plans to impose jail time on data thieves could face problems from potential cuts to public sector spending, with some of the parties hoping to scale back prison time for so-called minor crimes. The Liberal Democrats in particular oppose the building of new prisons. Writing in the Guardian last month, Liberal Democrat Shadow Home Secretary Chris Huhne said that prison was not the answer to curbing crime.

“Tories and Labour are pledging to send more people to prison for longer just because it sounds tough. Liberal Democrats would not build more prisons,” he wrote. “We are the only party brave enough to suggest that rigorous community sentences are more effective than short prison sentences.”

On the issue of the election and working with the future government, Smith said that data protection would continue to be a major issue for whichever party or parties got into power.

“We have a new government and I am a public servant so am not going to make any comment on that, “ he said. “All the parties mention things on information rights within their proposals and this will be an issue and is relevant to all parties whatever colour the government is – or if we have a multi-coloured government.”

Not A Toothless Tiger

Smith also reiterated that thanks to new powers – to levy a fine of up to £500,000 on organisations that fail to protect personal data – the ICO now has the ability to confound its critics. “We have got some more powers now and are no longer the toothless tiger or bulldog we have been described as,” he said.

But despite the new powers, Smith admitted that the ICO could be doing more to enforce its mandate. One audience member pointed out that, despite around 300,000 so-called “data controllers” being registered with ICO, only 900 incidents have been reported in the last two years.

“We don’t get as many reported as we would do if it was a mandatory scheme,” admitted Smith.

However there are plans to make some data breaches mandatory in the UK as part of a wider European directive. Telecoms companies will be required to report any data breaches and Smith indicated that this could be applied more generally in the future.

“Breach notification is currently voluntary but there is every prospect it will become a legal requirement,” he said. “The legislation is already there in the European directive and applies to telecommunications service providers. But within 18 months the UK will have to introduce breach notification legislation for ISPs and phone companies and other providers, and all the money is on that this will happen more generally too.”

But Smith also admitted that compulsory reporting of data incidents could also hamper the work of the ICO by flooding it with minor complaints which would provide less time to pursue the major incidents.

“If there is an obligation for all organisations to tell us about all breaches we will be swamped,” he said.

Andrew Donoghue

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

16 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

17 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

18 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

19 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

22 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

22 hours ago