Information Commissioner turns up the heat on data breach culprits

By Ron Condon, UK Bureau Chief 30 Oct 2008 | SearchSecurity.co.uk

Security UK News Digg This!     StumbleUpon     Del.icio.us

Richard Thomas, the Information Commissioner, used a speech at the RSA conference in London to repeat his call for more powers and resources to enforce good data protection throughout government and the private sector.

To support his claims, he noted that 277 data breaches had been reported to his office since HMRC lost 25 million child benefit records nearly a year ago.

Parliament has already granted powers to the Information Commissioner's Office (ICO) to impose fines against organisations that wilfully breach data protection principles, but the levels have not yet been set by the Home Office. Thomas said that he expected a maximum fine to be set in line with the Financial Service Authority, which can fine a financial services company up to 10 per cent of turnover.

Thomas said he also expects the current rules, which prevent him from inspecting a system without the owner's permission, to be changed. He said he preferred to work with companies' co-operation, but that in some cases new powers would be required.

He said he also expects the current flat £35 annual registration fee that all data controllers pay, to be increased for larger organisations. The ICO currently has 300,000 data controllers registered, providing it with an annual budget of £10.5 million. By raising fees for bigger organisations, he said he planned to raise this to around £17 million. Thomas reminded the audience that the Health & Safety Executive has a budget of £890 million.

On the question of mandatory disclosure of breaches, which has operated in most states of the US for the last five years, Thomas said he was against adopting a similar approach in the UK or Europe. "Each breach carries different levels of risk and, consequently, requires a different response," he said. "Unless written and interpreted with very great care, a mandatory notification requirement would add a significant extra burden for organisations and, more worryingly, could produce breach fatigue if it were to result in frequent and unnecessary notifications of minor incidents. This carries the very real danger that people will ultimately ignore notifications when there is, in fact, significant risk of harm."

Thomas, who will step from his job next June, also called for a review of the EU directive on privacy which he described as "too prescriptive and burdensome." The ICO has commissioned its own research into what kind of laws would work better and will publish a final report of its findings next June, Thomas said.

Of the 277 reported data breaches in the last year, 28 were in central government, 75 in the NHS and other health bodies, and 80 in the private sector (Read the full breakdown of breach notifications). The ICO is investigating 30 of the most serious cases, and has taken enforcement action against HMRC, the Ministry of Defence, the Department of Health, the Foreign and Commonwealth Office, Virgin Media Ltd, Skipton Financial Services, Carphone Warehouse, Talk Talk, and Orange Personal Communications Services Ltd.

Tags: Compliance Regulation and Standard Requirements,  Data Protection Solutions and Strategy,  Security Policies and User Awareness,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance Regulation and Standard Requirements PCI compliance UK: The future of European merchant PCI compliance ISO 27001 SoA: Creating an information security policy document Ministry of Justice asks for input on UK privacy laws Exclusive PCI DSS news: EU regional director rallies UK merchants PCI PTS: Understanding PCI PIN security requirements PCI call centre: Understanding PCI DSS call recording requirements NuBridges update enables simultaneous data center tokenisation PCI-compliant POS: Retail chain nears PCI compliance in the UK SSC announces PCI-certified internal auditor course for PCI assessment Varied QSA assessment quality causes PCI compliance issues Data Protection Solutions and Strategy Hard-disk erasure: Using HDDerase and Secure Erase hard-drive eraser In any given app for smartphone, security risks are being neglected First of data loss prevention vendors touts downloadable DLP software Ministry of Justice asks for input on UK privacy laws PCI PTS: Understanding PCI PIN security requirements IBM to acquire BigFix for configuration, vulnerability management Survey: SMB security increasing for better cybercrime protection PCI call centre: Understanding PCI DSS call recording requirements NuBridges update enables simultaneous data center tokenisation Prevent data leakage with secure media reuse policies Security Policies and User Awareness Risk management in information technology Prevent data leakage with secure media reuse policies Information security awareness lacking in laptop users, according to study Kent company offers 'low-tech' hard disk destruction product Survey: Compliance efforts drive security, but may not produce results Using resource allocation management to prevent DoS and other attacks Cloud-based services require stalwart business continuity plans Preventing phishing attacks: Enterprise best practices CISOs take measured steps to reduce social media risks Increasing information security awareness in the enterprise

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) Code of Connection (CoCo)  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) IFRS (International Financial Reporting Standards)  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary