Marking six months of increased ICO enforcement, with no fines seen

[Christine Fulgham <christine () opensecurityfoundation org>]

http://www.scmagazineuk.com/marking-six-months-of-increased-ico-enforcement-with-no-fines-seen/article/180636/

This week marked six months since the Information Commissioner's Office
(ICO) introduced its increased enforcement powers, allowing it to issue a
fine of up to £500,000.

Since then we have looked at the possibility and opportunity for the ICO to
issue a fine and have wondered why nothing has happened; not a pound coin
has ended up in its hands for a 'malicious data breach'.

I have often considered that one of the reasons why the ICO has not issued a
fine has been because the losses have mainly been by public sector
companies. Its own statistics showed that the NHS was responsible for a
third of the first 1,000 losses incurred and to fine a trust would not only
involve public money moving from one hand to another, but the ICO does not
want the bad press that would go with it fining an NHS trust.

It is not that the ICO has had no opportunities to issue a fine; look at the
Zurich Insurance data loss or even the recent ACS:Law breach. In the case of
the former, in a conversation with the ICO I asked if it was going to issue
a fine, they said that even though it had found Zurich to be in breach of
the Data Protection Act back in March this year, a fine would not be issued
because it 'used the powers which were available to us at the time'.

Another incident concerned the loss of a laptop by the Yorkshire Building
Society, and then an ICO spokesperson told SC Magazine that there were no
plans to fine the companies involved, as it reviews every case individually,
and that it was not about punishment, it is about helping them take remedial
action.

Speaking at the Information Security Europe show in April, the deputy
commissioner David Smith
said<http://www.scmagazineuk.com/infosecurity-europe-ico-speaks-on-future-of-regulation-three-weeks-after-its-500000-fines-were-introduced/article/168752/>that
it was waiting with 'baited breath' for the first of its £500,000
fines
to be handed out. Yet almost six months since that keynote was delivered,
still nothing.

[...]

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Take CREDANT Technologies short survey on cloud usage and security.
Take the survey: http://www.surveymonkey.com/s/TXDR7WT
Respond by October 12, 2010.
Enter to win a $500(US) Amazon Gift Card.