Data breaches are one of the more troubling side-effects of a connected world, with the increased use of web tools making it a lot easier for a user to accidentally send information to the wrong address, or store it somewhere where it can be accessed from the outside world.
The Information Commissioner’s Office (ICO) was set up to raise awareness about data protection issues and encourage good practice, which it does in part by issuing fines to those whose negligence has led to a data breach.
However, a number of private sector firms – including one storing NHS patient records on Google Drive – have recently received only a warning for breaching data protection policies. Meanwhile, other firms have suffered a data loss after an initial warning, something which has led Martin Sugden, CEO of data security firm Boldon James, to call for the ICO to take stronger action.
“You could argue it should have been a bit stronger to begin with,” he told Computing, arguing that with the ICO often choosing to issue a warning for a first offence, businesses are willing to take a risk with data rather than spending budgets on ensuring proper protection.
“Most of these organisations are tight for cash. They don’t have money to spend, therefore they have to make a list of priorities,” he continued. “And if what you’re basically saying is all you’re going to get is a rap on the knuckles and you haven’t been caught yet, then let’s put that to the bottom of the list, because they’ll go to a higher priority.”
Sugden argued that if the ICO issued fines for a first offence firms would be much more careful with their data.
“Had the ICO hit the first couple of them very hard, then I think this would have gone to the top of people’s priorities lists and actually hopefully by now you’d be seeing less inadvertent data loss,” he said, adding that if an organisation was found to have absolutely no data protection measures in place, then the fine should be “draconian”.
However, Sugden conceded that if fines were very large, their impact might be limited as they would inevitably lead to protracted legal actions. Referring to Sony, which was fined £250,000 for unencrypted storage of PlayStation customer data, he said: “If they put in a draconian fine – let’s say they fined Sony a billion – they’d probably still be in court with all their resources.”
Nevertheless, Sugden argued that the ICO must get tougher.
“The softly, softly approach has taken too long, it’s not focused enough. If you’re not using the basic data protection tools and then one of your staff makes this type of mistake, it’s management’s fault and the ICO fine needs to reflect that,” he said.
Sugden also believes the ICO tends to focus too much on public sector bodies because they don’t have the financial clout that private firms can draw upon to fight it in the courts. In essence, he thinks they’re picking on an easy target.
“To an extent they’re softer targets because private firms are going to appoint lawyers to try and get their money back and I think that’s part of the issue,” he said. “The other thing that’s a bit depressing is it’s out of one pocket into the other. Because if Stoke Council pays £125,000 of taxpayers’ money to a tax-funded organisation, well, what happens? It just goes around in a circle.”
Computing approached the ICO for a response to Sugden’s comments, but the organisation only issued a written statement in reply.
“Both the private and public sectors have to comply with the Data Protection Act. We offer guidance to both, including free audits and advisory visits, and any enforcement action we undertake is judged on a strict set of criteria, which apply equally whether the organisation is in the private or public sector,” said the statement.
“It’s important organisations in both sectors understand their responsibilities under the Act to avoid such action and the resulting reputational damage.”