The UK’s Information Commissioner’s Office (ICO) is looking to compensate the dysfunctional imbalance that currently exists when fining British organizations that suffer a data breach. (As detestable as it may sound, the ICO has shown a willingness to fine companies that experience a data breach, adding insult (and injury) to injury. But, it could be argued that the companies brought the data breach upon themselves. For example, by allowing employees to tote around laptop computers without first securing the devices with data encryption software like AlertBoot.)
80% of Fines on Public Sector
As zdnet.co.uk reports, the ICO ” imposed 14 civil monetary penalties against [organizations] since November 2010, with 12 being against public sector [organizations], and one against a public sector service provider”. I created and recently updated a list of ICO DPA penalties. That, of course, only leaves two instances where private companies were fined for a breach of the Data Protection Act.
Private Companies Account for over 30% of Breach Disclosures
This disproportionate penalty ratio exists despite the fact that private companies account for over one third of data breaches disclosed to the ICO. In fact, when you consider that private companies are not under any obligation to make these revelations to the ICO, one has to wonder whether breaches of the DPA at private organizations wouldn’t account for a larger share of the pie. Indeed, a recent report by PricewaterhouseCoopers (PwC) has found that 45% of large businesses were in violation of data protection laws.
(I assume that, given the choice of not reporting a data breach, a company will probably not do so. Hence, the ones that do report to the ICO are outliers. I could put on my rose-colored glasses and assume that British companies report it out of a sense of duty, a sense of respect, the need to do the right thing. But, then, how do explain the fact that companies are caught not deploying encryption software? One would presuppose that a sense of duty would guide companies to ensure that mistakes are minimized in the first place.)
Is the ICO Implying that Breaches at Private Organizations Don’t Matter?
A contributor to microscope.co.uk, after hearing that the public sector accounts for the bulk of fines, ponders whether
Now we might feel that data breaches deserve to be punished in order to act as a deterrent, but if we do, that policy needs to be applied equally across the public and private sectors. It may well be that the data held by public sector organisations (sic – at least, in the US) is more sensitive than the data held by private sector businesses, but is the ICO really suggesting most data breaches at private organisations are of information that is relatively worthless? Because that seems to be the message.
I doubt that that’s the message. But, such criticism is not new. I looked into the situation in this page. In summary, the ICO claimed that there are better ways of resolving breaches of the DPA, and that it can’t just hand out fines as it sees fit. Penalties can only be handed out when specific conditions are met.
Aggregate Complaints: Big Data Brings Balance
Continuing with the zdnet.co.uk story, the ICO has announced that,
To try to redress the balance of fines, the ICO will start to aggregate complaints from people about potential breaches of the Data Protection Act…
The next phase for us is to make more sophisticated use of all the information we get in from consumer complaints, to analyse (sic)[it],” said Graham. “Not just to decide whether a breach is likely or unlikely under the Data Protection Act, but to aggregate some of the information we’re getting to spot who are the serial offenders, which would build a case for action on more occasions in the private sector.”
This has the potential to completely change the game. Instead of just hammering those that step up to the plate and admit they had a breach, the ICO could go after cases where an organization with the duty to report a breach has not done so, or go after private companies that can be fined for breaches of the DPA but are not required to report said breach (that’s one badly-written piece of legislation right there).
Such a move dovetails nicely with the current penalty amounts. Among the criticisms the ICO has received since it gained the power to directly hand out monetary penalties, an oft-remarked one is that the ICO’s fines come nowhere close to the £500,000 limit (the highest to date is £140,000 assessed on Midlothian Council earlier this year).
The ICO counters with the observation that the fines ought to send a signal and not just punish the companies that are penalized. The latest move by the ICO could mean higher penalties that get closer to the £500,000 limit — for example, a public sector data breach involving 20,000 people gets a fine of £100,000, but a public sector data breach involving 20,000 people that goes unreported (contrary to law) gets a fine of £200,000 or whatever is deemed fit. After all, there ought to be consequences for violations of the DPA in other areas that the exposure of personal data.
Related Articles and Sites: