Infosec: ICO Denies Fining One Percent Of Breaches

The Information Commisioner’s Office (ICO) CO has acted on only one percent of the data breaches reported to it – but a senior figure at the ICO disputes the  finding.

A Freedom of Information Act (FoI) request revealed that the Information Commissioner’s Office (ICO) has acted on less than one percent of the data breaches reported to it, hardware encryption specialist ViaSat UK said on Wednesday.

The firm found that 2,565 incidents had been reported, while the ICO has disclosed actions in 36 cases, including only four fines. Today, the Deputy Information Commisioner David Smith told the Infosec show in London, that the figures were wrong.

Public sector targeted

ViaSat says the figures cover a period beginning on 6 April 2010, when the ICO received the power to fine organisations that breach the Data Protection Act, and 22 March 2011, during which time four fines were issued. A fifth fine has since been hinted at.

Smith (pictured) told the conference that ViaSat had actually trawled together all the incidents reported since 2007. He is reported by SC Magazine as saying: “We are not happy with (these findings). It is quite inaccurate and this is not the number reported.

As well as the low level ViaSat claimed a bias in the fines, since while the majority of reported breaches came from the private sector – outnumbering the public sector by nearly 3 to 2 – the public sector has received the most actions and fines to date. Within the private sector financial organisations accounted for nearly one in five breaches.

To date the ICO has acted against seven private sector organisations, penalising one, and that fine is the smallest that the ICO has yet handed out – a £60,000 fine against services company A4e.

Meanwhile the ICO has acted against 29 public-sector organisations, penalising three. The heaviest fine yet was a £100,000 penalty to Hertfordshire County Council for faxing details on child sex abuse case to the wrong recipient.

“The public sector… dutifully reports its failures under the data protection act and receives more, and larger, penalties as a result,” said ViaSat chief executive Chris McIntosh in a statement.

McIntosh said the ICO must take a harder line on applying harsher penalties and must publicise this fact.

“If fines are rare and well below the maximum allowed limit, their value as a deterrent drops,” he stated. “Organisations will view the rarity of a fine and the associated negative publicity the same way they have viewed the threat of a data breach itself: an event that only happens to other people.”

More power

He also argued the ICO should be given more power, including greater leeway in imposing penalties, higher penalties and the ability to take a more active role in monitoring data use.

“We have already seen the ICO humiliated by Google [when it cleared it of a breach in the WiSpy incident – Editor]: if we want it to be more than an organisation handing out minor fines to local government, it must be given more power,” McIntosh stated.

The ICO responded that it is not necessary to apply fines in order for them to have a positive effect.

“The existence of civil monetary penalties has had a markedly beneficial effect on compliance generally,” the ICO stated. “The big stick is there, but doesn’t need to be deployed all the time to have an effect.

“For a monetary penalty to be served the Information Commissioner has to satisfy a strict set of criteria including that the breach could have caused substantial damage or substantial distress to individuals and that the organisation knew, or ought to have known, that there was a risk that a breach may occur. We will always consider the imposition of a monetary penalty where these criteria are met.”

The ICO was given the power to fine companies that fall foul of the data breach laws up to £500,000 in January 2010, but did not issue its first penalty until November 2010, following months of apparent inaction. Hertfordshire County Council was ordered to pay a fine of £100,000 for revealing details of a sex abuse case to a member of the public, and employment agency A4e was fined £60,000 for losing a laptop which contained the unencrypted details of thousands of people.

Then in February, Ealing Council was hit with a £80,000 fine and Hounslow Council was charged £70,000, for losing laptops that contained sensitive personal data. Deputy ICO commissioner David Smith said the two councils were paying the price for lax data protection practices.