The Information Commissioner has issued two fines for data loss and breaches of the Data Protection Act, bringing to an end months of speculation over when it would use powers it gained in April, to penalise negligent organisations.
Hertfordshire County Council has been ordered to pay a fine of £100,000 for revealing details of a sex abuse case to a member of the public, and employment agency A4e has been fined £60,000 for losing a laptop which contained the unencrypted details of thousands of people.
The first fax went to a member of the public instead of a barrister, while the second one went to a barrister when it should have gone to Watford County Council. Both revealed details of child abuse cases, including previous convictions, case workers’ opinions and childcare details.
In the first case, the council obtained a court injunction preventing further spread of the information, and reported itself to the Information Commissioner’s Office. “We are sorry that these mistakes happened and have put processes in place to try and prevent any recurrence,” said a council statement.
Although the ICO has asked for jail sentences for offenders, it has so far been hesitant to issue fines, despite a regular stream of lost USB sticks, hard drives and laptops which expose people’s personal data. The NHS has been particularly careless with people’s details, according to ICO information.
The ICO was branded “Keystone Kops” by Conservative MP Robert Halfon for its failure to crack down on Google over the high-profile WiSpy incident, in which some Wi-fi data was accidentally snooped by Street View cars.
Meanwhile, a worker at Sheffield-based A4e had a laptop stolen from his home, where he had been working on records of 24,000 people who used legal advice centres in Hull and Leicester. The data was unencrypted, and the thief made an attempt to access it.
A4e also reported itself to the ICO, and notified people whose data might have been compromised.
Mr Graham was less concerned about the A4e breach, but said it “also warranted nothing less than a monetary penalty as thousands of people’s privacy was potentially compromised by the company’s failure to take the simple step of encrypting the data”.
Microsoft faces formal EU antitrust charges over videoconferencing app Teams after concessions to European Commission…
Workers at New Jersey Apple Store vote against joining union as post-pandemic labour drive at…
Microsoft-backed OpenAI releases new AI model GPT-4o with voice conversation capability, desktop app and updated…
SpaceX prepares fourth Starship test flight, launches more Starlink satellites, shows EVA suit for commercial…
SpaceX and its contractors have left construction bills unpaid in Texas, angering many smaller suppliers,…
US to triple domestic chipmaking capacity and control 30 percent of advanced chips by 2032…
View Comments
Richard Turner, Chief Executive at software security company Clearswift, comments:
“The cases brought to light by the ICO today serve to highlight the fact that data security is far more complex in today’s business environments where a wide range of communication channels are in use. Organisations need to realise that, in conjunction with security technology, their staff can be a powerful additional protector of data security.
“For data security policies to be really effective, employees need to understand what the parameters are and more importantly why they are there. Otherwise ‘accidents’ happen when they try to find a way to get around them. Education and explanation of web and email policies means that people can actively take on board the risks and adapt their behaviour in the long-term.”
As the ICO finally seems to be toughening up http://bit.ly/gA5jfs it raises questions about how the fines are applied. Whilst it is disappointing that Google could not be fined as the offence occured before the ICO could implement stronger penalties, to hear of local councils receiving large fines is also concerning for the public. A balance surely needs to be met, potentially basing the fine not only on the size of the breach, but also of the organisation at fault. It remains to be seen how much these fines will act as a deterrant.
A comment received from Frank Kenny, vice president of Ipswitch, a former Gartner analyst
“These are not ‘fines’ as is being widely reported, but civil penalties. This is part of a wider trend whereby the penalties for, and consequences of, inadequate security measures are increasingly costly and come from different sources – from the payments card industry, to government and private sector contracts, to activist regulators and the public at large.”
“Technically, these breaches are classic cases of organisations doing their best to get the job done with the minimum of hassle – part of a pragmatic culture that our research shows still to be prevalent in organisations. What is really needed is for organisations to decide upon and adopt a single, ergonomic, avenue for handling and auditing their sensitive data.”
Resorting to punitive measures, such as fines, represents a sad day in the history of information security. Alas, the repeated examples of lax corporate and public sector security awareness and compliance have made it an unfortunate necessity.
The sizable fines the Information Commissioner’s Office can impose, as demonstrated in these cases, will hopefully deter organisations of all types from falling behind on data security.
However, if past instances of data loss and theft teach us anything, it is that regulation alone will not solve the problem. Such measures must be aligned with an overall government effort to encourage and build a culture of security best practice and common sense, underpinned by solid technologies that can deliver the level of security required by law and be able to cope with emerging threats and the changing ways in which we work.