You just lost yourselves £500,000 for being reckless
The Information Commissioner’s Office in the UK, thanks to new powers that came into force last week, can now impose a fine of up to £500,000 on organizations that recklessly lose data.
The three words, ‘of up to’ are significant here and we really need to see what criteria will be adopted to quantify a ‘reckless loss’ but it is a clear sign (finally, some may say) that the authorities-that-be have realized how serious a problem data loss and data leakage has become.
This is a move in the right direction and the threat of a hefty fine and not a miserly slap on the wrist may be exactly what the industry needs. There have been too many cases of data breaches over the past year or so and now it’s time to get tough.
In his recent series on security, Emmanuel Carabott makes a convincing argument that companies can ill-afford not to invest in security. I would add that a hefty fine dangling over the CIO’s and CEO’s head makes the decision a tad easier for them.
However, these fines will only be effective and a deterrent if the authorities have the willpower (they have the law behind them now) to use their new powers, equitably I should add.
Enforcement is key. IT administrators can write security policies all day long but if they don’t enforce them, they are worth less than the paper they wrote them on. The same applies to the new fines. Paying lip service is one thing but identifying the culprits and punishing them is another matter. Only when they start giving fines will people listen. And when people start to listen, they will (usually) do something about it.
Too many companies are of the ‘it won’t happen to me’ kind.
Once that changes to ‘it won’t happen to me, but I can’t risk a crippling fine’, I can see more companies doing their utmost to protect their data.
So long as the watchdog bites and does not just growl!
About the Author: David Kelleher
David Kelleher is Director of Public Relations at GFI Software. With over 20 years’ experience in media and communications, he has written extensively for business and tech publications and is an editor and regular contributor to Talk Tech to Me.
Hefty fines, if enforced, may, as you note, induce organizations to improve their data protection policies. Fines, though, are not uniformly imposed and their final disposition can take ages to arrive at. A less onerous but more effective way to deal with this problem may be the course chartered by many states in the United States. That is, requiring that data breaches be reported and made public. According to a study released this week by the Ponemon Institute, organizations in countries with breach notification laws paid dearly for each record they lost, compared to those that did not have such a law. In the U.S., for example, the average cost of a lost record was $204, with 66 percent of that attributed to lost business. On the other hand, in the UK, which does not have a notification law, the average was $98 per lost record. A business may be willing to roll the dice on whether or not it will be fined for a data breach, but it will be less inclined to play roulette with its business revenues.
I’m not sure if I simply read the article wrong, or if I’m just interpreting it the wrong way. Maybe I’ve just been more of a traditionalist when it comes to business, but isn’t this sort of fine a bit imposing on most companies?
I’ll just throw it right out there that I’ve never been a fan of government meddling in corporate policy. However, I would understand if the fine was simply a way of protecting clients from sloppy handling of data by their contractors.