Data watchdog issues first data loss fines
By Stewart Mitchell
Posted on 24 Nov 2010 at 09:09
The Information Commissioner's Office has finally issued its first monetary penalties six months after being given the power to issue fines for data breaches.
The data protection watchdog, which has come under fire for its failure to act in earlier cases, such as the Google Street View breach, got tough in issuing two fines totalling £160,000.
The first culprit handed a fine was Hertfordshire County Council, which was punished for twice sending faxes containing child abuse case details to the wrong recipients.
Get it wrong and you do substantial harm to individuals and the reputation of your business
But the ICO finally seemed to have met the computer-based data threat head on when it fined employment services company A4e £60,000 for losing an unencrypted laptop.
According to the ICO, the notebook contained the personal details of 24,000 people that had used legal advice centres in Hull and Leicester.
“These first monetary penalties send a strong message to all organisations handling personal information,” information commissioner Christopher Graham said in a statement. “Get it wrong and you do substantial harm to individuals and the reputation of your business.”
Both breaches occurred back in June, shortly after the watchdog was given the power to issue penalties of up to £500,000.
The A4e case stemmed from the company issuing an employee with an unencrypted laptop, which was later stolen from the staff member's house.
The notebook contained personal information - including full names, dates of birth, postcodes, employment status, income level, alleged criminal activity and whether individuals had been victims of violence – of 24,000 people.
According to the ICO, the thieves tried unsuccessfully to access data shortly after stealing the laptop and the £60,000 fine reflected the “substantial distress” that could have been caused by the loss.
“A4e did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop, despite knowing the amount and type of data that would be processed on it,” the ICO said.
From around the web
As the ICO finally seems to be toughening up http://bit.ly/bQY4UJ it raises questions about how the fines are applied. Whilst it is disappointing that Google could not be fined as the offence occured before the ICO could implement stronger penalties, to hear of local councils receiving large fines is also concerning for the public. A balance surely needs to be met, potentially basing the fine not only on the size of the breach, but also of the organisation at fault. It remains to be seen how much these fines will act as a deterrant.
By Juliette_msc on 24 Nov 2010 
So council fined £100k will up the tax next year accordingly. What's the point?
By Lomskij on 24 Nov 2010
Agreed Lomskij - the council hasnt been fined at all - the council tax payers have and it's not their fault.
The punishment, for public bodies should be levied on the individuals concerned and their management if necessary - maybe not a fine of £100,000 but something realistic to deter them and everyone else and make them think twice about what they are doing.
Actually, to keep it consistent, the re is no reason why individuals should not be fined in private enterprise too if found guilty.
By Fraz_pro on 24 Nov 2010
Fines out of all proportion
The sizes of these fines seem more in the realm of teh ridiculous $1.3 billion fine just awarded in the Oracle v SAP case: plucked out of thin air and out of all proportion to the loss.
Using that scale though, how much would the Google Street View fine have been? Several billions? Certainly enough to pay part of the deficit back...
By SwissMac on 24 Nov 2010
@Juliette_msc:
Are you suggesting we punish people according to who they are?
God, it really is time for a revolution.
By steviesteveo12 on 24 Nov 2010
Data Misuse
Good to see the ICO finally getting its act together.
How about them taking on the DVLA and their persistent misuse of car registration info. The act states that information shall only be used for the purpose for which it was gathered, surely this doesn't include supermarkets, clamping and the like.There are exceptions for the legal authorities in pursuit of criminals.
It seems that the present situation is out of control
By peterhb1 on 24 Nov 2010
Who benefits from the fine?
So, 24000 people are now possible candidates for massive credit card fraud - name, d.o.b and postcode - there's not much else that the crims need to be able to access your card details online, change the password and spend to your max.
And the £60k fine goes to those that have to suffer the knock-on effect of missed payments, updating all their records, sorting out the other messes that turn up?
I doubt it.
So, why not make the fine more like this:
Ask each of the 24000 people affected how much it will cost them to put their lives back in order and send the bill to the company / organisation / council that made the mistake.
Much simpler
(Yep - I know - it'll never happen)
By Sercul on 25 Nov 2010
Get protection - before it's too late
It was announced earlier this month that the ICO would issue its first fine in November. Since then, a number of companies have fallen victim to large fines. A question that springs to mind is whether or not these companies are actually the worst offenders or were just in the wrong place at the wrong time.
Although the companies mentioned in the article did in fact breach the data protection act and were right to be fined, other firms have been let off with warnings this year for much worse – is this just the ICO flexing its muscles and scaremongering? It seems very convenient that a public and private sector firm were fined at the same time just before the end of the month. Who will be next? It could be anyone and companies, both public and private need to make sure their data is protected.
Sensitive information is often stored on the hard drives of endpoint systems and on removable media. Organisations need to ensure that this data is persistently protected and one way of doing this is via encryption. The loss of one of those systems or media could expose corporate information, personnel records, government secrets, or intellectual property, producing disastrous effects for organisations. Encryption is transparent and there is no disruption to business operations, performance, or the end user experience.
When sensitive data on endpoints is secured organisations can focus on other areas. Data needs to be fully protected or the next example made by the ICO could be for the full £500,000.
Gary Clark, Vice President EMEA, SafeNet
www.SafeNet-inc.com
By GaryClark_SafeNet on 25 Nov 2010
@GaryClark - Spammer
Yes. However, taking advantage of the article to promote your site is known here as spamming.
My advice to anyone thinking of employing a company or consultant is to rule out spammers from the start.
By greemble on 25 Nov 2010
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Is Microsoft mismanaging Windows on ARM?
- Dealing with spam surrogates
- Why 3G broadband can be better and cheaper than ADSL
- Is Twitter bad for business?
- Publishing your email address isn't a security disaster
- Why you'll need a fax machine to develop iOS apps
- Learning to adapt to the mobile web
- Why you shouldn't use WPS on your Wi-Fi network
- Disabled users suffer when software breaks the rules
advertisement
