How effective are data breach penalties? Are ever-bigger fines enough?

Filed Under: Data loss, Featured, Law & order

For the past couple of years, data security company ViaSat UK has spiced up the Infosecurity Europe conference by filing an FoI (freedom of information) request for data breach statistics.

In previous years, things have ended up with ViaSat in a spot of biffo with the UK Information Commissioner's Office (ICO).

In 2011, ViaSat noted that "monetary penalties have been enforced in less than one per cent of the data losses [the ICO] has dealt with."

The company went on to suggest that this, combined with the modesty of some of the fines that were imposed, might lead to companies simply risking the fines as an alternative to doing the right thing:

Organisations could easily look at the £60,000 penalty meted out to [one company...] compared to the company's £145 million turnover, and its rarity, [...]and feel that the risk of ICO action is one they are prepared to take.

The issue of "paying instead of playing" is one that won't go away in the computer security field.

We ran a poll last year after Google coughed up $22.5 million to the US Federal Trade Commission (FTC) to dispose of charges that it "misrepresented privacy assurances to users of Apple's Safari browser."

We asked, "Are financial penalties enough to make the online behemoths play ball on privacy?"

Nearly 95% of the respondents said, "No."

That's a worrying degree of scepticism!

In 2012, the ICO brought the fight back to ViaSat, with the UK Information Commissioner on record referring to ViaSat's FoI request as a "stunt".

ViaSat's complaint in 2012 was that the private sector seemed under-represented in the statistics on UK data breach penalties, with just one penalty imposed in 263 self-reported cases, compared to eight penalties in 467 self-reported data breaches from the public sector.

This year's FoI request, however, revealed that the ICO handed out 20 penalties overall (instead of the nine in 2011/2012), in response to 1150 self-reported breaches (against the 730 in 2011/2012), and ViaSat's sound bites were correspondingly more conciliatory:

It's pleasing to see the ICO make good on its promise to use both the "carrot and the stick" when enforcing the Data Protection Act.

Some of the recent fines in the UK (or "monetary penalty notices" to give them their proper name) certainly haven't been trivial.

We've written about some of the big fines, sorry, monetary penalties, already on Naked Security.

There was £150,000 (about $230k) paid up by the Greater Manchester Police over an unencrypted USB key, for example, and £225,000 ($345k) paid by the Belfast Health and Social Care Trust.

Technologies such as encryption and DLP (data loss prevention) can, of course, go a long way towards helping you prevent data breaches, especially those that happen through ignorance or carelessness.

Device encryption, for example, helps you ensure that you don't end up making your files accessible to everyone (by accident or design) if you copy them to removable storage (by design or by accident).

And DLP heads you off at the pass before you cut-and-paste sensitive data to the wrong place, and makes sure that you don't include database fields you're supposed to omit when preparing reports.

But the abovementioned Belfast breach, you may remember, is an unyielding reminder that technology alone can't solve your data breach woes.

In that case, physical records were left behind in a mothballed hospital building; thieves broke in, got hold of confidential patient records and tried to sell them online.

Preventing data breaches is as much about attitude as it is about technology: the more you care about your own data and what happens to it, the better inclined you'll be to look after other people's.

So, why not take a look at Sophos's free IT Security DOs and DON'Ts - a downloadable toolkit which helps to keep some simple but effective security tips clear in your mind.

Check out IT Security DOs and DON'Ts

From videos and an employee handbook to posters you can put up round the office (yes, you'll see them on the walls at Sophos!), all the downloads are free, and no registration is required.

, , , , ,

You might like

One Response to How effective are data breach penalties? Are ever-bigger fines enough?

  1. There was £150,000 (about $230k) paid up by the Greater Manchester Police over an unencrypted USB key, for example, and £225,000 ($345k) paid by the Belfast Health and Social Care Trust.

    Of course both these examples are ultimately owned by the taxpayer so its out of one pocket (GMP or BHSCT) and into another (ICO / Treasury)!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog