Prison Sentences for Data Breaches?

A recent study by CA Technologies indicates that almost 90% of businesses experience some form of data loss (as reported in SC Magazine) and 2009 research from the Ponemon Institute shows the average cost of these breaches as being around £300,000. While the number of breaches reported is going up, experience shows this is not actually the result of more breaches, rather it is better detection and a greater willingness to report.

Since April 2010, the cost of a breach has potentially increased (it was based on the cost of detecting & remediating the breach and lost business) as the Information Commissioner’s Office is now able to levy a fine of up to £500,000 for a breach of the Data Protection Act.

When combined with the Ponemon data, it is easy to see how failing to properly protect data could cost your business in excess of £1,000,000. As we have discussed in previous posts, it is not a sensible risk management strategy to take this risk when spending much less can almost totally remove it.

On 13 September, the Information Commissioner has added a new risk into the mix with a call for custodial sentences to be an option to the courts. Following a recent case where a bank cashier gained illegal access to the customer records of a woman who had been victim of a sex attack perpetrated by the cashier’s husband, Information Commissioner Christopher Graham made the following statement:

“I note the outcome of this latest case, and I remain concerned that the courts are not able to impose the punishment to fit the crime in all cases, because the current penalty for this all too common offence is limited to a fine rather than the full range of possible sentences, including prison for the most serious cases”

“There has been a lot of coverage in the media about the section 55 offence – or ‘blagging’ personal information, as it is known. But this offence is not just about private investigators finding out about celebrities’ hospital appointments. This crime has the potential to devastate ordinary people’s lives. The existing paltry fines are not enough to deter. The government must show they take this problem seriously by commencing the legislation Parliament put in place in 2008. If courts were able to impose the full range of sentences from fines to jail terms, including other sanctions such as community service where appropriate, we would at last have an effective deterrent to stop people engaging in this criminal activity”

The cashier was charged under Section 55 of the Data Protection Act and while this has the potential for an unlimited fine (in Crown Court), in this case she was fined £800 with £400 costs and a £15 victims surcharge.

Interestingly, the cashier who was working for Barclays at the time, was only discovered following the victim recognising her in court and then making a complaint to the police. Following an investigation it was discovered she had access the victim’s records on at least 8 occasions but the cashier claimed under caution that the data had not been used or copied down.

Of a greater concern, and sadly not covered in the ICO’s findings, is if any controls over what data Barclays bank employees could access were in place and what authorisations were required. In this instance, the lack of any ICO comment may be an indication that the controls were present, but it is hard to be sure.

Ideally, there would be technical systems in place to ensure that customer data was only viewed by cashiers with a legitimate, and current, need to see it. This should be backed up by a rigourous internal audit mechanism that flags up suspicious (and possibly criminal) activity for further investigation.

It should not rely on a concerned victim having to report the possibility to the police.

On a broader context, it is actually quite likely that the Barclay’s Cashier had no criminal motivation to look up customer records (and there is no evidence she did anything with the information) but the same cant be said about everyone. If there are no detective controls in place, how is the customer (you and I for example) to know if there isnt a bored cashier looking up our details right now?

If you are in the situation where customers treat you with their personal data (sensitive details, financial records, even shopping habits), then the emphasis is entirely on you to make sure you properly protect their data. Doing this, and reassuring you customers you do this, is an excellent way to stand out in the marketplace, win new business and, importantly, retain existing customers.

Remember, the cost of setting up a security system may seem daunting, but it will always be less than having to implement one after you have been breached and lost customers. Invest in your security from the outset and it will repay you.


Halkyn Security

Halkyn Security Consultants.