Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, April 05, 2010

Firms unprepared for new ICO powers

Experts are warning that many firms may still not be aware of new powers granted to data protection watchdog the Information Commissioner’s Office (ICO) which will enable it to fine businesses up to £500,000 for serious breaches of the Data Protection Act (DPA).  The new powers, which it is hoped will act as a deterrent and promote compliance with the DPA, were initially approved by the justice secretary in January after years of lobbying by the ICO, and come into force on Tuesday.

When things go wrong, a security breach can cause real harm and great distress to thousands of people,” said Information Commissioner Christopher Graham at the time.  “UK businesses should take note of the new rules and ensure they have effective data protection compliance measures in place to meet the ICO’s standards,” he added.

Nugent suggested that the new powers may also pave the way for other measures under consideration, including potential prison sentences for criminal offences involving the misuse of personal data.

However, William Malcolm, an information law expert at international lawfirm Pinsent Masons, warned that the new powers represent a “step change” for the ICO that many firms may not be aware of.  While this is a significant deterrent now, they need to make sure they carry out reviews of how personal data is handled, and implement sensible controls to ensure that data is protected,” he said.

The ICO has stepped up enforcement in recent years, and would undoubtedly have used the powers to deal with some of the cases it has dealt with over the past six months had they been available.”

Richard Turner, chief executive of data security firm Clearswift, agreed that education efforts need to be stepped up.  “The ICO will have a wide scope of interpretation when applying its new regime, as the fines can be levied for breaches of principles, rather than against the underlying detailed legal requirements…The first few fines the ICO levies will therefore set the tone,” he said.

“While the largest fines may only be dealt out to larger companies for serious breaches of the DPA, all organisations are now faced with a very real threat of significant financial penalties over and above any existing operational clean up costs and reputational damage should they suffer a breach.”

Posted on 04/05