Careless businesses beware - The Information Commissioner's Office will be imposing much stiffer fines for data security breaches in the future.
The Information Commissioner's Office (ICO) is getting tougher over data security with the imposition of fines of up to half a million pounds for serious breaches, something which could prove costly for careless marketeers.
"The Information Commissioner’s Office (ICO) will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act," said an ICO statement. "The ICO has produced statutory guidance about how it proposes to use this new power, which has been approved by the Secretary of State for Justice, and has been laid before Parliament today."
The size of the fine will be determined after an investigation to assess the gravity of the breach and will also be based on the the size and finances of the organisation at fault, whether the breach was accidental or deliberate, and how much distress the leak of information caused.
"The Information Commissioner will take a pragmatic and proportionate approach to issuing an organisation with a monetary penalty," the ICO statement said. "Factors will be taken into account including an organisation’s financial resources, sector, size and the severity of the data breach, to ensure that undue financial hardship is not imposed on an organisation."
"Getting data protection right has never been more important than it is today. As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details," said Information Commissioner Christopher Graham. "When things go wrong, a security breach can cause real harm and great distress to thousands of people."
"These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act. I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law."
The original Act came into force in 1984. Under the most recent Act of 1998, data can only be used for the purposes for which it is collected and cannot be given to others without the consent of the individual. Everybody has the right to see information that is held about them, with the exception of crime-related data. The new rule is expected to come into force in the UK on 6 April 2010.
Jamie Cowper, director of European marketing at data encryption firm PGP Corporation, welcomed the new fines, but warned that unless UK organisations clean up their act they could find them highly costly. "With 70% of UK firms admitting they were hit by at least one data breach last year, the ICO should have no shortage of businesses to fine. Furthermore, with the number of companies falling victim to breaches rising year on year, it’s clear that more needs to be done to motivate companies with weak security strategies to shape up. A threat of a half a million pound fine is a powerful motivator.
"The cost of data breaches is already staggeringly high for UK businesses; last year the average breach cost £1.7 million, or £60 for each identity lost. If the ICO's bite turns out to be as big as its bark, this cost could exceed £2 million; a huge expense at a time when businesses and public sector bodies can ill afford to waste money.
"Organisations that want to avoid these massive financial penalties must look to implement watertight data protection strategies, employing proven technologies such as data encryption to ensure that confidential information is locked down. It is only by doing so that companies can be sure that their customers, reputations and profits are protected."