We need disclosure not data breach fines
Public sector managers and private CEOs alike will struggle to miss a new and apparently harsh provision that comes into force today, threatening Â£500,000 fines for any organisation found to have committed a serious breach of the Data Protection...
At worst, this will result in a fine of £500,000 ($800,000) by the Information Commissioner’s Office (ICO), though the first limitation is that only the worst data breaches will attract such a harsh penalty. Most fines will be much lower, so the headline figure is scarier than it need be.
What will make one breach worse than another? Very hard to say, but scale and incompetence will be the starting points, and interpretation of the notion of ‘recklessness’ might come into play.
Local authorities and government departments would have paid out quite a bit in fines had the ICO had such a power a decade ago (or had even existed as a body), but then an organisation like the ICO fining the public sector is just moving public money around.
As to the private sector, a good example popped up only a week ago, that of the Zurich Insurance which lost an unencrypted backup tape with details of 46,000 customers on it. This case is a good example of the complexity of modern data protection, involving UK consumers, a tape lost in South Africa by a subsidiary company of the parent, Zurich Insurance plc, which was not told of the loss for over a year.
That sounds pretty serious to me but I doubt that the full fine would have been levied for this breach, nor would it necessarily have made a difference in the event that it had.
All companies will feel the incentive to take security more seriously in theory, but the nature of the data movement, its off-shore nature, and the reporting chain all make it a complex security problem not easily solved by mere fines and legislation such as the DPA.
“I encourage all organisations to report any serious data security breaches to us so that the nature of the breach or loss can be considered. I am pleased to see that Zurich Insurance plc has taken remedial steps to ensure individuals’ personal details are protected in future,” said ICO enforcement head, Sally-Anne Poole, referring to Zurich’s decision to use encryption on such tapes in future.
Look into this and other recent cases (the ICO mentions a number) and it is clear that what is working here is not the regime of punishment but the one of disclosure.
How many data breach events we don’t hear of is hard to factor, but I’d guess that as organisations get larger, breaches are probably more likely to reported but will be harder to detect, the exact opposite of small companies. There, fines seem to make it more likely that breaches will not be reported, just as the Data Protection Act itself is accorded lip service.
I’d wager that the DPA has been broken unwittingly a million times by employees who would struggle to repeat its principles, interestingly only one of which relates directly to security.
What the UK needs is not a culture of fines per se, but a culture of disclosure. Companies, right down to the fearful employees, have to feel that it is in their interests to admit to failures the better that the people supposed to be protected by the DPA get to hear about them.
The fine should not be for the breach surely - there are already laws against that - but for covering it up, a course of action with even more serious consequences.