The government has approved new penalties for organisations that lose sensitive data, with possible fines of up to £500,000 for serious offenders.
The revised penalties, which will come into force on 6 April this year, have been implemented to act as a deterrent to public, private and voluntary bodies that hold sensitive information regarding employees or customers in a bid to send a clear message over the implications of data loss.
The cause and size of the loss, as well as the financial standing of the affected organisation, will all be considered when reviewing penalties for future offenders.
Information Commissioner Christopher Graham said: “These penalties are designed to act as a deterrent.
“When things go wrong, a security breach can cause real harm and great distress to thousands of people. I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.”
Jamie Cowper, director of European marketing at data encryption firm PGP Corporation, said: “The cost of data breaches is already staggeringly high for UK businesses; last year the average breach cost £1.7m, or £60 for each identity lost.
“If the ICO’s bite turns out to be as big as its bark, this cost could exceed £2m – a huge expense at a time when businesses and public sector bodies can ill afford to waste money.
“Organisations that want to avoid these massive financial penalties must look to implement watertight data protection strategies, employing proven technologies.”
The move follows several high-profile data losses from the Ministry of Defence and the DVLA.
Copyright © Press Association 2010
Information Commissioner’s Office
Related story: Two PCTs found in breach of Data Protection Act
Related MiP articles:
How secure are your practice data?
Keeping IT safe: 10 best-practice tips
What’s your view on these revised penalties? Your comments (terms and conditions apply):
“It is promising to see the ICO taking positive measures to tackle personal data security breaches. Half a million pounds is a tidy sum; small enough to comprehend, large enough to matter. According to the new statutory guidance as provided by the ICO, this will be delivered for the most serious breaches – but with one violation enough to justify the penalty. Further, it seems the seriousness of the breach is only one aspect; it does not have to be a deliberate contravention. Reckless disregard through poor corporate governance, failure to carry out a risk assessment, or lack of a compliance regime, are all aggravating factors. The Information Commissioner clearly understands IT security, as seen in its references to the likes of encryption and the information security standard, ISO27001; however, organisations need to be aware that one size does not fit all. Businesses have the flexibility to select adequate security measures that best match their business needs, and act accordingly. Helpfully, the statutory guidance also states that payment is accepted by BACS transfer or cheque: if you don’t want to be the first, then it’s time to take action” – Chris Mayers, Chief Security Architect, Citrix, UK