When will organizations pay for data breaches?
Thursday, July 02, 2009 09:02 AM
perspective Data losses have provided the U.K. press with an ongoing stream of stories for more than 18 months now.
The first big story, in November 2007, was HM Revenue and Customs' loss of discs containing child benefit data on 25 million people. Since then the press has been spoiled for choice of incidents of this nature, with a wealth of embarrassing headlines affecting the government and its contractors in particular.
The role of the Information Commissioner's Office (ICO) as the independent body charged with policing and enforcing data protection legislation is to promote good practice and ultimately, as the regulator, to take enforcement action against organizations where they are found to have fallen short.
Currently, if the ICO hears of a security breach--either because the organization affected has notified it of the incident or as a result of a complaint--the ICO has various assessment powers to allow it to establish the facts of the case and, crucially, to form a view on whether there has been a breach of data protection legislation.
However, even where the office concludes that an organization has failed to comply with its statutory obligations to keep our information safe, in most cases the organization at fault will at worst be required to give a formal undertaking to the ICO to comply in full with its data protection obligations in future, provided it cooperates with the ICO in resolving the situation.
Only in extreme cases might formal enforcement action be taken and, even then, the ICO still has no 'live' power to fine the organization for its compliance failure.
The furor created by various high-profile data security scandals forced politicians to concede that the regulatory environment was inadequate. The government commissioned various investigations and reports and brought into force certain changes designed to improve internal procedures, including mandatory rules on data security provisions in central government contracts.
In the midst of all of this, the enactment in May last year of a power for the ICO to impose monetary penalties for serious breaches of data protection legislation emerged as an unexpected--but very welcome--strengthening of the regulatory regime. Suddenly it seemed that the lack of clout that has traditionally hindered data protection would become a thing of the past, with the protection of personal information finally becoming a board-level issue.
However progress on the preparatory work which is required for the power to become operational has been slower than many had hoped. Work is ongoing on the part of the ICO and the U.K. Ministry of Justice to put in place the guidance which the ICO is required to issue on how it intends to exercise the power, and the regulations which will set the level of the fines available to the ICO.
This is no doubt a challenging and time-consuming exercise and one that must be done properly if it is ultimately to be successful. However, as I write, there is still no formal, public commitment to its being complete by a certain date. (Informal indications are that the target long-stop date for the power's go-live is the end of this year.)
Fundamental change is required in many organizations if they are to regain the public's trust in their handling of personal information. The only sure-fire incentive to such change is the real and present threat of sanction. The current position--the risk of an unspecified level of fine at an undefined point in the future--is, unsurprisingly, not proving a suitable catalyst for wholesale attitude change.
The government and the ICO have an excellent opportunity to build on the momentum created by the press interest in data protection matters over the past year or so. However, to do that, it is vital that the new power becomes operational as soon as possible, and with as much fanfare as possible.
In particular, preparations for go-live of the power should not be sidetracked by other (still important) developments, such as the proposed further legislative changes in the Coroners and Justice Bill, or indeed the replacement (at the end of June) of Richard Thomas, the current Information Commissioner, by his successor Christopher Graham.
In the meantime, the Information Commissioner's ability to sanction continues to lag behind many of his European counterparts. Most organizations therefore content themselves with minimal improvements (if any) to their data protection practices and procedures, safe in the knowledge that (with the exception of those in the financial services sector, who are subject to the jurisdiction of the FSA) even a material data protection compliance failure is unlikely to have major, direct financial implications.
Grant Campbell is a partner and head of the technology, information and outsourcing group at law firm Brodies LLP. This article was first published on ZDNet Asia's sister site, Silicon.com.
There are currently no comments for this post.