ICO Bares Its Teeth With Fifth Data Breach Fine

The Information Commissioner’s Office, which deals with data protection and online privacy in the UK, is preparing to issue its fifth data breach fine.

At a Westminster eForum on 22 March, the information commissioner Christopher Graham said that the fine would prove to data controllers that the Information Commissioner’s Office (ICO) is not toothless, and remind them that inadequate security policies can cause significant reputational damage.

“Data controllers should realise, if they let consumers down, a fine from the ICO will be the Mark of Cain,” he said.

Graham did not offer any further details on which organisation would be subject to the fine, but a number of organisations – including Wolverhampton City Council, Leicester City Council and the University of York – have been flagged up by the ICO for data breaches in the last few weeks.

‘Small fangs’

The ICO was given the power to fine companies that fall foul of the data breach laws up to £500,000 in January 2010, but did not issue its first penalty until November 2010, following months of apparent inaction. Hertfordshire County Council was ordered to pay a fine of £100,000 for revealing details of a sex abuse case to a member of the public, and employment agency A4e was fined £60,000 for losing a laptop which contained the unencrypted details of thousands of people.

Then in February, Ealing Council was hit with a £80,000 fine and Hounslow Council was charged £70,000, for losing laptops that contained sensitive personal data. Deputy ICO commissioner David Smith said the two councils were paying the price for lax data protection practices.

“The ICO recently got bigger teeth,” said Philip James, senior associate for media, brands and technology at Lewis Silkin. “One might even say it had small fangs.”

According to Graham (pictured), the ICO goes by the theory that “you have to be selective to be effective”. He said that there was little benefit in punishing every organisation that suffers from data loss, but that the ability to issue fines served as “the big stick in the cupboard”.

“Let’s hope it stays there, but it’s there to be used,” he added.

Data protection act needs updating

Graham admitted that the Data Protection Act of 1998 – which the ICO is charged with upholding – is beginning to show its age, but reminded organisations that the EU’s new electronic communications regulation, which updates the current Privacy and Electronic Communications Directive is due to arrive in 40 working days. This will include mandatory brief notifications for telecoms companies and changes to cookie laws.

“The European institutions, and the Commission in particular, expect a change in the law to mean change in behaviour. This is about informed consent,” he said. “It’s very desirable in so far as giving consumers greater transparency and control over their computers and services they access.”

He said that a one-size-fits-all approach was no longer appropriate, and that the ICO is working for a more realistic directive, that takes account of the way the world really is in the 21st century.

However, according to Caspar Bowden, worldwide technology officer for privacy at Microsoft, market forces will not help to improve privacy. He said the notion that consumers were in a position to assess their own privacy risk was “moonshine,” and that the obligation of data protection must fall on the regulator.

Earlier this week, a report by the Ponemon Institute revealed that the average data breach costs UK organisations £1.9 million – an increase of 13 percent from 2009, and 18 percent from 2008. The report, which was sponsored by Symantec, found that incidents ranged from 6,900 to 72,000 records, with the cost of each breach varying from £36,000 to £6.2 million.