ICO breaks £1m milestone in Monetary penalties

As the Information Commissioner's Office (ICO) hands out two more hefty fines, it hits the £1m threshold of fines issued.  Granted the majority of these fines have been in the Public Sector, but that does not eliminate private businesses who have also received fines and investigations.

The ICO is clamping down hard on data breaches, with new guidelines being proposed January 2012 which will come into play over the coming months and years.

The UK is working alongside Europe with a new set of guidelines that cover trade between countries.  This is taking the legislation one step further in so far as if you deal with a company in France and have a breach of their data, you could find yourself in a French court!

We are interested to understand more fully how this is impacting on business.  It is clear that public authorities have been the main focal point, however, a small firm of Lawyers was fined £200,000 (reduced to £1,000 due to company closure) and a privately owned training company £60,000.  Alongside this individuals have been fined for the theft of data from their employers.

Do the initial fines indicate that the ICO has been establishing their case law and will now look to a much wider business community? We believe it does.
They have published where their main focus will be during this year, being:-

  • Health
  • Credit and Finance
  • Criminal Justice
  • Internet and mobile services
  • Security

They have had a major push within the private sector informing companies that they need to be registered with the Act at the very least.  Industries thought to be most at risk are professional services such as Accountants, Lawyers, Estate Agents and the Health Sector.

So what does this mean for you?

The ICO has the power to issue fines without any type of court interaction and the majority of fines have been issued due to lack of staff awareness or staff negligence in handling sensitive data.

Security technology is growing at an exponential rate, but where a member of staff needs information they will find a way to get it – technology can only cover you so much – staff need to be aware of what they can and can’t do within the bounds of their roles and responsibilities.

The ICO cover this element of risk by recommending staff should be assessed four times per annum with regular awareness sessions provided where vulnerabilities are found.  It is accepted that information can be stolen on laptops and other devices, however, this is where technology plays a part with encryption and adequate security built into everything that leave the offices.  The ICO say there is no excuse.

By looking at the technology required, training and awareness for the staff and regular staff assessment, you will go a long way to start and protect yourself, but it doesn’t start and end as one project.  It is an ongoing appraisal that needs to be reviewed at regular intervals.

Your policy needs to be carefully defined and communicated to everyone in the organisation, with key individuals taking full responsibility for the care of sensitive data.  Security measures need to be constantly reviewed.  Alongside all of this the basics need to be embedded within everyone in your organisation.

You will find you have four areas of risk within your business:-

  • Legal / Compliance – Are you sure you are adhering to the legislation?
  • Financial – Would a fine wipe you out?
  • Productivity – The risk of operational losses and customer services delivery.
  • Reputation and Customer Confidence – would your customers still support you if you lost their data.

The legislation seems to be heading in the same direction as that surrounding health and Safety.  The ICO has targets to hit and no organisation is beyond their reach.

More information on how to build your staff’s awareness here.