The Information Commissioners Office sends the wrong message

December 10, 2010

By Steve Gold, business and IT journalist for over 25 years

After hinting about the matter for several months, the UK Information Commissioner’s Office (ICO) has finally handed out its first hiked fines against two organisations found to be in breach of the Data Protection Act.

In case you need reminding, the ICO raised its maximum penalties a thousand-fold for data losses back in April of this year. Much has been made since then of the new penalties, which can range up to half a million pounds.

After six months of not a lot happening, the ICO said earlier in November that it was planning to impose its first penalties towards the end of the month.

And now we have the details – £100,000 for Hertfordshire County Council over two faxing slip-ups and £60,000 pounds against an international employment agency with a turnover of 190 million pounds.

Yes folks, you did read that right. A4e employs 3,400 people worldwide and is a major player in the unemployment-to-employment training stakes.

It apparently allowed a staffer to take a company laptop home containing the data records of 24,000 of its clients, including the usual identity theft ID kit information of names, addresses and dates of birth. Oops.

Oh, and their criminal records check data. But the data on the laptop was unencrypted. Double oops.

And the laptop went missing. Triple oops.

There are a lot of security best practices that spring to mind here – and you don’t need to be an IT professional to figure out what happened was not only plain stupid, but represented as serious lapse on the data security front.

And the company with an annual turnover of £190 million gets a maximum fine of £500,000? No – It was 12 per cent of the maximum, £60,000.

Does this fine send a strong message to other companies whose IT security practices are not up to scratch? I think not.

Frankly, it probably cost the ICO around that sum of money to investigate the data breach, once you factor in the number of people working at the ICO, their training and skill sets.

An to A4e, the £60,000 probably represents the total cost of employing two people, so in budgetary terms it’s small beer.

Data leakage has – thankfully – become a key priority for most businesses, as witnessed by the results of last year’s IT Security Index 2009 research from Launchpad Europe, which concluded that the topic is now a major priority for most businesses around the world.

But what about the council fine? Anyone can make a mistake – but twice, and with children’s details?

But this kind of slipup occurs more often than you might think. Only two weeks ago, one of my colleagues mentioned that she had received a fax containing personal information from her local council in error.

Once she realised what the document was, she immediately shredded it and phoned up the council to explain the mistake.

If you think about it, she probably saved the council a £50,000 fine.

So what is the conclusion about these ICO fines? Well, they’re too small and send the wrong message to IT managers working in errant companies.

But they do give data security professionals something to work with when discussing better security with their clients.

At least that’s a small glimmer of hope in an otherwise ineffectual message from the Information Commissioners Office.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: