Nearly six months ago, the Information Commissioner’s Office in the UK gained the power to fine companies that are in breach of the Data Protection Act, up to £500,000 in penalties. As I’ve pointed out before, the use of drive encryption software for protecting entire laptops and other portable devices, and file encryption for protecting individual files and folders, would help in radically reducing or even eliminating such fines.
I thought that this message would get lost, since in the six months since, the ICO hasn’t fined a single organization that was involved in a data breach, no matter how egregious the loss of data. This could be changing though: the ICO has “confirmed that it is in the process of imposing fines against organisations that have breached the Data Protection Act,” according to v3.co.uk.
“We Will Be Actively Using This Power”
Deputy information commissioner David Smith was quoted as saying the following:
“This will be a landmark moment in ensuring that firms take [data protection] seriously,” he said.
“There have been a lot of questions asked of us about whether we are actually going to fine firms, and I can assure people that we will be actively using this power.”
Smith declined to reveal any details of the companies involved, but said that information will be posted online “in the near future”.[v3.co.uk]
There are a number of other points Smith goes into, including how companies should not be collecting just because they can; if they don’t have a use for it, don’t collect it. This is actually one of the keystone principles of data security: you don’t need to secure what you don’t have.
And, seeing how data breaches are revealing themselves to be a “when, not if” situation, not collecting unnecessary information is something to think about. Not collecting information other companies are collecting might be a competitive disadvantage, but so is getting involved in a data breach.
The Importance of Encryption Software
In the past, the ICO has made a point of ensuring companies promise to use encryption on their portable devices as part of an Undertaking. In fact, I have a post–UK Information Commissioner Can Fine Company £500,000–quoting an Undertaking straight from the ICO’s website.
If you follow the link, you’ll see that there are other issues to consider aside from the use of encryption, such as ensuring adequate physical security and education of staff, but the very first item is the use of encryption. Not that I believe that these things are ranked in order of importance, but still, wouldn’t you say it’s symbolic?
Related Articles and Sites: