Industry News
Keep up with the latest developments and information.
Resource Center > Industry News > ICO says that £500,000 fines are proportionate
ICO says that £500,000 fines are proportionate
Wednesday, January 13, 2010
This article was published in Public Technology The Information Commissioner's Office is getting tougher over data security with 'proportionate' half a million pound fines for serious breaches. "The Information Commissioner's Office (ICO) will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act," said an ICO statement. "The ICO has produced statutory guidance about how it proposes to use this new power, which has been approved by the Secretary of State for Justice, and has been laid before Parliament today." The size of the fine will be determined after an investigation to assess the gravity of the breach and will also be based on the size and finances of the organisation at fault, whether the breach was accidental or deliberate, and how much distress the leak of information caused. "The Information Commissioner will take a pragmatic and proportionate approach to issuing an organisation with a monetary penalty," the ICO statement said. "Factors will be taken into account including an organisation's financial resources, sector, size and the severity of the data breach, to ensure that undue financial hardship is not imposed on an organisation." "Getting data protection right has never been more important than it is today. As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details," said Information Commissioner Christopher Graham. "When things go wrong, a security breach can cause real harm and great distress to thousands of people." "These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act. I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law." The original Act came into force in 1984. Under the most recent Act of 1998, data can only be used for the purposes for which it is collected and cannot be given to others without the consent of the individual. Everybody has the right to see information that is held about them, with the exception of crime-related data.The new rule is expected to come into force in the UK on 6 April 2010. Jamie Cowper, Director of European Marketing at data encryption firm PGP Corporation, welcomed the new fines, but warned that unless UK organisations clean up their act they could find them highly costly. "With 70% of UK firms admitting they were hit by at least one data breach last year, the ICO should have no shortage of businesses to fine. Furthermore, with the number of companies falling victim to breaches rising year on year, it's clear that more needs to be done to motivate companies with weak security strategies to shape up. A threat of a half a million pound fine is a powerful motivator. "The cost of data breaches is already staggeringly high for UK businesses; last year the average breach cost £1.7m, or £60 for each identity lost. If the ICO's bite turns out to be as big as its bark, this cost could exceed £2m; a huge expense at a time when businesses and public sector bodies can ill afford to waste money. "Organisations that want to avoid these massive financial penalties must look to implement watertight data protection strategies, employing proven technologies such as data encryption to ensure that confidential information is locked down. It is only by doing so that companies can be sure that their customers, reputations and profits are protected."
The Information Commissioner's Office is getting tougher over data security with 'proportionate' half a million pound fines for serious breaches.
"The Information Commissioner's Office (ICO) will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act," said an ICO statement. "The ICO has produced statutory guidance about how it proposes to use this new power, which has been approved by the Secretary of State for Justice, and has been laid before Parliament today."
The size of the fine will be determined after an investigation to assess the gravity of the breach and will also be based on the size and finances of the organisation at fault, whether the breach was accidental or deliberate, and how much distress the leak of information caused.
"The Information Commissioner will take a pragmatic and proportionate approach to issuing an organisation with a monetary penalty," the ICO statement said. "Factors will be taken into account including an organisation's financial resources, sector, size and the severity of the data breach, to ensure that undue financial hardship is not imposed on an organisation."
"Getting data protection right has never been more important than it is today. As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details," said Information Commissioner Christopher Graham. "When things go wrong, a security breach can cause real harm and great distress to thousands of people."
"These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act. I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law."
The original Act came into force in 1984. Under the most recent Act of 1998, data can only be used for the purposes for which it is collected and cannot be given to others without the consent of the individual. Everybody has the right to see information that is held about them, with the exception of crime-related data.The new rule is expected to come into force in the UK on 6 April 2010.
Jamie Cowper, Director of European Marketing at data encryption firm PGP Corporation, welcomed the new fines, but warned that unless UK organisations clean up their act they could find them highly costly. "With 70% of UK firms admitting they were hit by at least one data breach last year, the ICO should have no shortage of businesses to fine.
Furthermore, with the number of companies falling victim to breaches rising year on year, it's clear that more needs to be done to motivate companies with weak security strategies to shape up. A threat of a half a million pound fine is a powerful motivator.
"The cost of data breaches is already staggeringly high for UK businesses; last year the average breach cost £1.7m, or £60 for each identity lost. If the ICO's bite turns out to be as big as its bark, this cost could exceed £2m; a huge expense at a time when businesses and public sector bodies can ill afford to waste money.
"Organisations that want to avoid these massive financial penalties must look to implement watertight data protection strategies, employing proven technologies such as data encryption to ensure that confidential information is locked down. It is only by doing so that companies can be sure that their customers, reputations and profits are protected."
Argentina
Belgium
Canada (English)
France
Germany
Ireland
Luxemburg
Puerto Rico
South Africa
South Korea
Singapore
UAE
UK
USA