Data Protection Act – Calls for more powers while breaches continue

Earlier this week, the Justice Committee Ninth Report made the recommendation that the Information Commissioners should have the power to issue custodial sentences (prison time) for breaches of the Data Protection Act rather than be limited to the current system whereby a fine of up to £500,000 can be levied against those responsible for a breach.

The report identifies the problem in the current system which ties the actual fine to the defendants ability to pay:

The DPA sets out the current penalties for breaches of section 55 offences. A fine of up to £5,000 may be imposed in the magistrates’ court, or an unlimited fine in the crown court. However, in practice fines are much lower, in part because judges and magistrates must take into account the defendant’s ability to pay.[1] The Information Commissioner’s 2006 report What Price Privacy? included details of 26 criminal cases, in which all of those involved received a fine and/or conditional discharge. The highest fine was £1,000 per offence, but some fines were as low as £50 per offence.[2] More recent cases have seen fines of £100-£150 per offence.

There is also some confusion over what constitutes an offence – is it an instance of a breach or the number of records subjected to the breach but this is not really cleared up in the report.

Giving an indication of future trends, the report continues with:

It is clear to us that the current penalties for section 55 offences are inadequate. If people can make more money from a single offence than the fine which would be imposed for such an offence, then there is no deterrent. There are also cases where people have been endangered by the data disclosed, or where the intrusion or disclosure was particularly traumatic for the victim, and a fine is not an adequate sentence.

and (emphasis in the original report)

 We accept the Information Commissioner’s argument that the issue of custodial sentences for section 55 offences is not exclusively, or even primarily, an issue relating to the media and that the issue should be dealt with by Parliament without waiting for the outcome of Lord Justice Leveson’s inquiry. We urge the Government to exercise its power to provide for custodial sentences without further delay.

Given the choice of wording and emphasis in the report, there is a strong chance that this will lead to a revision of the ICO powers, possibly increasing the fines or allowing custodial sentences. While this is unlikely to be the same as the Corporate Manslaughter powers, it will lead to some interesting changes.

Unfortunately, in the UK at least, it is a very sad reality that still, the majority of organisations do not know how to handle personal data (sensitive personal data or not) properly. This leads to confused policies which enforce costly protection measures where they aren’t needed while still allowing for breaches of the Act to occur.

Yesterday, the ICO issued a press release about a data breach whereby Rochdale Metropolitan Borough Council lost a memory stick containing 18,000 residents details in what looks like a comedy of errors:

Rochdale Metropolitan Borough Council breached the Data Protection Act by losing an unencrypted memory stick containing the details of over 18,000 residents, the Information Commissioner’s Office (ICO) said today. The ICO has required the council to put changes in place and will check to ensure the improvements have been made.
The memory stick – which was lost in May and has not been recovered – included, in some cases, residents’ names and addresses, along with details of payments to and by the council. The device did not include any bank account details. The information had been put on a memory stick to compile the council’s financial accounts.

It is hard to think of the circumstances that could ever justify this happening – there should be few if any reasons for an employee to have to move data in this manner and if there really was a compelling case to do so, then it is almost impossible to deploy an endpoint encryption solution that doesnt transparently encrypt removable devices.

Without knowing the details it is only possible to speculate on what the Council employee was planning to do with the records, but it appears likely that the Council allows (or at least fails to prevent) its employees processing Council data on non-Council equipment.

Whatever the reason, there are much better ways to transfer the data than putting it on an unencrypted USB stick. (Why would the Council even own such devices).

Following on from the findings, the ICO has issued some remediation instructions to the Council:

The ICO’s investigation found that the council’s data protection practices were insufficient – specifically that it failed to make sure that memory sticks provided to its staff were encrypted. The council also failed to provide employees with adequate data protection training. As well as requiring the council to put all of the changes in place by 31 March 2012, the ICO will follow up with the council to ensure that the agreed actions have been implemented.

This is pretty basic activity but, as the Council may be about to discover, it is significantly more cost-effective to implement these measures in advance (when you can determine the timescales to suit your own needs) than it is to rush them in following an Data Protection Act breach.

An ounce of prevention is better than a pound of cure.

If the Council had implemented some very simple, very basic, information security measures in advance this breach would never have happened.

This kind of data breach is painful when it happens to a Government body, but on the whole they can absorb the reputational damage simply because there is rarely any competition – for example, people claiming housing benefit from Rochdale Council do not have the option to move to a different council which will handle their data in a more secure manner.

In the private sector, however, things are very different. Although it is difficult to assess hard figures, the risks of data breach of this nature to a private company are significantly greater.

If your organisation breaches the Data Protection Act, not only is there the financial cost of any remediation activity (and the costs of the fine if applicable) but your customers do have a choice.

The adverse publicity from a DPA fine can, depending on your business, significantly undermine your marketing efforts, reduce customer confidence and shatter relationships that you have spend time and money developing.

One DPA breach can completely undermine a multi-million (Pound / Dollar / Yen / Euro / Whatever) advertising campaign, effectively leaving you where you started. Even if this isnt something you can measure, there is a good chance that following a DPA breach you will need to spend considerable amount of money on advertising / PR to reassure your stakeholders.

This is money lost to your business and it can all be prevented by investing in security.

One organisational problem we frequently encounter with our clients is that the security budgets are often under pressure and isolated from the budgets used on marketing etc. While this can make sense from an organisational perspective it is critical that at some point there is an understanding that a weakness in one area (security) can totally wipe out the benefits elsewhere.

Failing to do this can cost the business. Take action now to ensure that your security is properly implemented and provides a solid, cost-effective support structure to enable your growth. If you think security is getting in the way, something is seriously wrong.

Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.