After five years of ICO enforcement – is the UK a more secure place?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itproportal.com/2015/04/07/after-five-years-ico-enforcement-uk-more-secure/

Yesterday marked five years since the UK data protection regulator went
from being the toothless tiger to having the power to issue a financial
penalty against those responsible for data loss.

According to its guidance, the Commissioner may impose a monetary penalty
notice if a data controller has seriously contravened the Data Protection
Act, or if any person has seriously contravened the 2003 Regulations and
if, in both cases, the contravention was of a kind likely to cause
substantial damage or substantial distress.

In addition, the contravention must either have been deliberate or the data
controller or person must have known or ought to have known that there was
a risk that a contravention would occur and failed to take reasonable steps
to prevent it.

According to this list, 66 fines have been issued by the Information
Commissioner’s Office (ICO) to healthcare trusts, firms in the public
sector and private sector and Government agencies. This has included a fine
to its own parent the Ministry of Justice for £180,000 for the “loss of
hard drives containing sensitive and confidential information at prisons”
last year. My calculations work out the total amount of fined to have
collected £7,158,500; a lot of money that could have gone into the pockets
of senior management, or could have been spent on security solutions.

In reviewing the past five years, I got the opportunity to speak to Stephen
Eckersley, head of enforcement at the ICO, and asked him if the purpose of
such enforcement was to help companies get things right? He said that is
the overarching theme, and the ICO’s approach.

“If you look at our strategy, it is linked to organisations to make sure
that they know of the ICO’s enforcement powers, and making sure that we are
deploying our enforcement tools and that it is proportionate for
organisations to incentivise them to get it right first time,” he said.

However he mentioned the deterrent and the punishment, but said that
headlines usually do not take into account when a fine is issued where
there has been previous engagement with the organisation involved. “So in
some cases where it had issued fines that same organisation had reported a
breach or a similar incident 12-18 months earlier, and said that they would
introduce remedial measures and it was clear that they had not or it didn’t
work and you got a repeat situation,” he said. “I think the key message
that we like to think that our regulatory action is proportionate.”

He was keen to stress that enforcement is one strand of what the ICO do and
with a strategic liaison for good practice and now with compulsory audit
powers within healthcare, enforcement is something that it is looking to
use more regularly. He said that the fine is seen as a last resort and in
some cases it may well be, but in some cases it is a first resort if there
is clear potential for detriment for consumers or the data subject.

“We are keen to stress it is not ‘one size fits all’ here as every
organisation is different and the trusts operate differently, but with
healthcare and the public protection arena, where they handle personally
sensitive data, we would expect that those measures are tight and mitigate
risk effectively,” he said.

If there is one thing that the ICO has been criticised for with the
monetary penalty process, it is deemed a heavy hand on the public sector,
while Google, after its Street View wifi capture instance, managed to
escape without a fine.

Eckersley said that he was convinced that there is a lot of under-reporting
going on in the private sector and though it is not mandatory in the public
sector, the organisations do apply that approach in their reporting. Asked
if mandatory breach reporting could really happen, he said that
organisations in the private sector are gearing themselves for this and it
looks like things are moving quickly.

I wanted to know whether he thought the UK was a more secure place five
years after the “Toothless Tiger” got its powers? He said that his obvious
answer is yes, and he can qualify that for a number of reasons as it had
definitely seen an improvement in compliance.

“What I do know is that we have influenced compliance significantly on how
we raise the profile of data protection,” he said. “Quite often the data
protection officer is a lone voice in the wilderness, and suddenly becomes
the executive team’s best friend when there is an incident!

“So if there is a near miss, enforcement, undertaking or fine, then maybe
once you get buy-in at executive team level and you get that governance and
oversight, and it makes a big change to that company’s compliance.
Otherwise, you cannot get decision makers to invest and get the
communication to change.”

Is it the case that as well as being more secure, the UK is more aware of
data protection compliance five years on? He boldly said yes, particularly
as the ICO’s profile is far higher than it was a few years ago with issues
around phone hacking, data being sold and what happens to the companies
tasked with holding it. “I think we are holding them to account to make
sure that they are looking after their information,” he said.

Eckersley claimed that the new EU rules on data protection will likely
appear either in 2016 or 2017, almost five years since the original new
rules were announced. Eckersley said that new rules, which could pose fines
of €1 million (£729,500) or five per cent of global turnover, will create a
substantial fear factor.

In a research effort, the ICO contacted some companies who had been fined,
and found positive movements and collaboration with their peers, who were
thinking “that could have been us.”

Five years ago the ICO was a toothless tiger, with the power to name and
shame but all too easily ignored. Whilst the first fines took seven months
to be served, from the 6 April 2010 we had a data protection regulator who
meant business and now the UK’s PLC, healthcare, public sector and
Government are well aware of who wears the stripes.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!