ICO failing to get tough over data breaches


ICO failing to get tough over data breaches

Simon Quicke

The fines might have started coming and the fear of them is certainly on the corporate radar but the Information Commissioners Office is still not yet baring a full set of teeth when it comes to cracking down on those being careless with data.

A freedom of information request made by ViaSat has revealed that from the moment last year on 6 April, when the ICO was given the powers to impose fines of up to £500,000, until 22 march this year 2,565 breaches were reported.

But in that period of almost a year only 37 resulted in action from the ICO, with just four ending up in fines being handed out.

Even with the ability to impose fines of half a million pounds so far the ICO has shied away from issuing anything near that preferring to keep the levels under the £100,000 mark.

In terms of likely targets for fines the revelations provoked by the ViaSat request indicate that the financial sector is the vertical with the most breaches followed by local government and health.

"The Information Commissioner has stated that 'you have to be selective to be effective'. However, the ICO has a tremendous amount of leeway in the penalties it levies and so far doesn't seem to be applying this in either direction," said Chris McIntosh, CEO of ViaSat.

He added that although the ICO had stated that just the threat of a fine and the embarrassment of being caught were working to improve data protection there did need to be more fines handed out.

"If fines are rare and well below the maximum allowed limit, their value as a deterrent drops. Organisations will view the rarity of a fine and the associated negative publicity the same way they have viewed the threat of a data breach itself: an ecvent that only happens to other people," he said.

The threat of fines was one consideration that resellers were finding was occupying customer minds but there was also an acute awareness that being caught out publicly could do real damage to a firm's reputation.

"It is not just the fine but the business cost to the brand that they are worried about," said Sat Sanghera, director of business development at Datapoint, which specialises in selling into the financial sector.

The response to the lack of bite from the ICO continued to come in on the very day that it handed out a fine to another public sector organisation, the NHS Birmingham East and North for failing to protect sensitive data.

Nigel Hawthorn, vice president of marketing EMEA at Blue Coat Systems said that the unless more fines, at a higher value, were handed out then the Data Protection Act would be undermined.

"When the ICO last year increased the fines tenfold from £50k to £0.5m it sent a clear message to the market that companies needed to get their house in order. Why bother sharpening the ICO's teeth and enable it to issue increased fines if it is not prepared to bite and hand them out when necessary?" he asked.



Join the conversation Comment



    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.