BreachExchange mailing list archives
Marking six months of increased ICO enforcement, with no fines seen
From: Christine Fulgham <christine () opensecurityfoundation org>
Date: Mon, 11 Oct 2010 21:11:15 -0400
http://www.scmagazineuk.com/marking-six-months-of-increased-ico-enforcement-with-no-fines-seen/article/180636/ This week marked six months since the Information Commissioner's Office (ICO) introduced its increased enforcement powers, allowing it to issue a fine of up to £500,000. Since then we have looked at the possibility and opportunity for the ICO to issue a fine and have wondered why nothing has happened; not a pound coin has ended up in its hands for a 'malicious data breach'. I have often considered that one of the reasons why the ICO has not issued a fine has been because the losses have mainly been by public sector companies. Its own statistics showed that the NHS was responsible for a third of the first 1,000 losses incurred and to fine a trust would not only involve public money moving from one hand to another, but the ICO does not want the bad press that would go with it fining an NHS trust. It is not that the ICO has had no opportunities to issue a fine; look at the Zurich Insurance data loss or even the recent ACS:Law breach. In the case of the former, in a conversation with the ICO I asked if it was going to issue a fine, they said that even though it had found Zurich to be in breach of the Data Protection Act back in March this year, a fine would not be issued because it 'used the powers which were available to us at the time'. Another incident concerned the loss of a laptop by the Yorkshire Building Society, and then an ICO spokesperson told SC Magazine that there were no plans to fine the companies involved, as it reviews every case individually, and that it was not about punishment, it is about helping them take remedial action. Speaking at the Information Security Europe show in April, the deputy commissioner David Smith said<http://www.scmagazineuk.com/infosecurity-europe-ico-speaks-on-future-of-regulation-three-weeks-after-its-500000-fines-were-introduced/article/168752/>that it was waiting with 'baited breath' for the first of its £500,000 fines to be handed out. Yet almost six months since that keynote was delivered, still nothing. [...]
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Take CREDANT Technologies short survey on cloud usage and security. Take the survey: http://www.surveymonkey.com/s/TXDR7WT Respond by October 12, 2010. Enter to win a $500(US) Amazon Gift Card.
Current thread:
- Marking six months of increased ICO enforcement, with no fines seen Christine Fulgham (Oct 13)