ICO targets lost laptop breaches under tougher fine regime
Watchdog bares teeth at encryption refuseniks
Posted in Management, 27th April 2010 14:07 GMT
Watch Now : Virtual Machine Movement with Hyper-V
The deputy commissioner of the Information Commissioner's Office said that it is no longer a "toothless tiger" and has the resources and resolve to apply enhanced powers to data protection miscreants.
David Smith said increased fines of £500K, introduced in April, for the worse case of privacy breaches would "concentrate minds on getting it right". He stressed that the watchdog would far rather work with organisations towards this than resort to enforcement.
Experienced IT lawyer Dai Davis, of Brooke North, predicted that the increased fines would result in a handful of high-profile enforcement actions while resulting in little real change. He also argued that the ICO lacks the resources to mount a strong legal assault in the event of a corporation contesting a legal action. He cited the enforcement case against Halifax Bank over the use of credit reference agencies that went all the way to the House of Lords and culminated in failure back in the mid 1990s. The ICO avoided legal action for years afterwards.
Smith responded to questions on resources by saying that recent increases in data protection registration fees to £500 for larger firms would finance enforcements while also bankrolling greater use of audits. "We have to be effective. there is provision in legislation for us to ask for greater fees, if necessary," Smith told The Register.
"We are keen to use our new powers but will not act recklessly," he added. Smith added that firms that lost laptops that were not encrypted would be among the prime candidates for enforcement action, predicting a "handful" of cases over coming months.
During a keynote speech at InfoSecurity Europe 2010, Smith cited figures that showed the health service was responsible for almost a third of all reported data breaches in the UK. However, since the scheme is voluntary the picture it presents is incomplete. European legislation means that mandatory breach notification laws will be applied to telecom carriers within 18 months.
"Data protection is a widespread problem not confined to the public sector," Smith commented. Lost data or hardware and stolen data or hardware were the two most common causes of data protection problems. Lack of awareness about data protection, failure to take responsibility and use of legacy systems (such as unencrypted laptops) and policies were among the problems holding back better protection of public data, Smith said.
Smith wants to see mandatory notification in cases where personal data might have been exposed but not in situations where an encrypted laptop was lost, for example. He also wants to see private investigators who used trickery to obtain confidential records jailed. ®
Watch Now : Virtual Machine Movement with Hyper-V
COMMENTS
Peace Little Fishes!
Let's not fight among ourselves when there are bigger and nastier fish out there trying to bite us :)
Crypto fail
ROT-13 is a cipher, it's an instance of the class of ciphers commonly known as a 'Ceaser' or 'Ceaser shift' cipher.
Encryption is the process of applying a cipher.
If you're going to chime in and claim to be a pedant, at least get your fucking facts right.
Really ?
"A person who loses a laptop may get their employer fined, and that might lead to their own dismissal, but the next person in line will not be permanently scared by that into being more careful."
Seriously ? You don't think that being told on day one that your predecessor was sacked for being careless with data would make you even little bit more careful ?
Mr Pedant here
ROT-13 is not encryption, its encoding - there is a difference (albeit subtle). I thank you. :-)
But I agree totally with your sentiment
Beat me with a marshmallow and call me Sally
"He stressed that the watchdog would far rather work with organisations towards this than resort to enforcement."
So in fact what will happen is that - in the unlikely event of ICO stirring from it's sleepy Cheshire lair and actually going out to see someone who has breached the DPA - the offender will still be able to look forward to nothing more than a quick chat and a "bad show, chaps".
What would actually concentrate minds would be a preference toward enforcement, and a preference toward the top end of the fine scale.
For a long time we did all decry ICO as toothless, and they knew it was so and asked for more powers. Recently it seems that every time they get a new one they make a public statement to the effect that they'd, y'know, rather not use it actually.
Disband ICO, hand DPA enforcement responsibility over to the rozzers (where it properly belongs anyway), where the perverse incentive of 'detection' targets would ensure that an open and shut case like a laptop left in a car-park with a couple of cheeldren's addys on it would be prosecuted with the sort of enthusiasm one might expect of a murder case. Problem solved.
Enabling efficient data center monitoring
The new Office Garage series:
Top 10 SIEM implementer’s checklist
