The UK government should consider raising the level of fines that the Information Commissioner's Office (ICO) can impose on organisations that breach the Data Protection Act (DPA), an expert has said. Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that a previous increase in …
Half a mil? You gotta be kidding
10% of worldwide turnover (at least), doubled for repeat offenders. Then it will be fine. Prior to that it is the cost of doing business so who cares.
No no no...
We don't need to fine council's and such huge amounts of money. They don't care - it isn't theirs. No - what we need is to fine the *people* responsible (operators, CEO's etc) much *smaller* amounts of money, so they actually feel it personally. Mind you, trying to find out who *is* responsible in a council is nigh on impossible these days....
Re: No no no...
And then an agreement will be (already is?) written into the contracts that the public body will indemnify the Chief Executive for any legal action taken against them while in the course of their duty.
Re: No no no...
Yeah, so forget about fines where the body in question has no turnover.
A better way would be permanent disbarring from employment by the public sector in any capacity (including nationalized banks).
If you fine governmental bodies, you're just moving numbers from one column to another, or (at best) fining taxpayers. If you fine corporate bodies, you're really fining employees/customers/shareholders - there are no other options - none of which are likely to have had any direct responsibility for the breach.
If you want to do something effective, make directors (or their equivalent for government bodies) personally liable. Confiscate their Bentleys, make them sell their agreeable second homes in Cornwall/the Algarve. That will get people's attention, I guarantee. Of course, the fact that our legislators are all looking forward to such cushy numbers means this is very unlikely to happen.
One of the purposes of a corporation is to do away with personal responsibility. This can be both a good and a bad thing, depending on circumstances. Where law enforcement goes, it's really just bad.
It does away with personal liability for shareholders. Directors already assume personal liability for certain types of malfeasance, such as trading while insolvent.
Exactly what I was thinking.
Start making somebody responsible.
Fine the company, so they don't just make the position expendable. Put a 5 year ban on the responsible director / supervisor and a hefty fine to that person.
That should make people take security somewhat more seriously. A little personal touch.
@Chris Miller: Although fines do, indeed, end up paid by customers, they do have a very material effect on the company. In particular, if fines are heavy enough, they don't end up being paid at all: they cause a change in behaviour (which is what we want to achieve) because good behaviour becomes much the lower cost (thus maximising the shareholders' benefit).
If it can be proved
that an entity breached the data protection act on purpose for self gain, the directors/owners of that entity cannot be trusted and should be fined, black listed and NOT allowed to direct/run any other entity that handles personal data ever again.
If the breach was through incompetence or accident and unintended, punishment will not necessarily help that entity secure its systems. Security costs money and fining an entity just adds more cost and potentially more problems as corners may be cut to meet the expense of the fine.
Compulsory training paid for by the entity at fault is more likely to produce positive results than financially punitive measures.
Many things are various shades of grey there is no right or wrong way to proceed. Dishonesty and honesty are diametrically opposed and in such an instance it *IS* case of black and white, right and wrong.
Re: If it can be proved
"If it can be proved ....."
Establishing the guilt of directors, or even the corporation itself requires the prosecution to establish vicarious liability under UK law, which means proving they knew. If you can't show they knew, both corporation and directors aren't guilty, even if their officers are. This might be why News International and its scumbags are busy claiming they didn't know about phone hacking. A cynic might also presume this is why so much of the email evidence mysteriously got deleted to save disk space, and why laptops found their way into ponds and bins.
To change the rules of vicarious liability would be a very far reaching reform of law and won;'t happen in my view. However, the ICO specifically don't levy legal fines, they issue civil monetary penalties, and that's how they avoid having to prove liability in court. There is a quasi judicial appeal route, but that has additional costs and risks, and the business still has to pony up the cash until and if the appeal tribunal determines it should be reduced or repaid.
The interesting thing is that ICO can already levy monetary penalties on "natural persons" (ie individuals) as well as a "legal persons" (ie organisations). In this respect the ICO have the power to "fine" individuals already, they appear generally choose not to use this power. So it seems to me that the ICO need to use their existing powers more precisely to target individuals, as well as having the ability to fine larger organisations more (so that the likes of Google, BT/Phorm et al) would be suitably admonished if caught breaking the rules.
Who pays vs. who is responsible?
Fines (especially at this level, for multinationals) are as the article says "a drop in the ocean". However no matter what level fines are set at, they still only get paid by the organisation as a whole - or more likely: by the shareholders or tax-payers who ultimately suffer the loss. They don't punish the individual who was responsible for security and who made (or failed to make) the decision that led to losing data that other people had entrusted to the company. Since it's individuals who get the rewards, it's reasonable that they should be held to account for their failures.
If you really want to focus the attention of the people in charge, jail time is required.
The spotlight should start at the top of the organisation, and only move down to lower-ranking named individuals if or when it can be shown that the person in question could not have influenced, made, or reversed choices that led to an insecure IT operation.
There is already an offence called Misconduct in Public Office which can carry a heavy sentence. Maybe all that's needed is to extend this and (like with pretty all existing laws) simply start to use it, rather than create even more new laws.
Make it personal
Where it is clear that an individual acting for a business has made a deliberate choice to misuse either data the business holds, or data aquired elsewhere, not only should the business be fined, but those making the relevant decisions should be held personally liable and prosecuted, with a large fine if found guilty, or in the worst cases a custodial sentence. Perhaps it'll be harder to be glib about cynically exploiting others if the cost of getting caught is paid very personally rather than by your employer.
The current limit on fines limits their effects soley to smaller businesses; beyond a certain point its merely 'the cost of doing business. They should reflect the company's turnover and global reach, and in the most eggregious cases should be unlimited in any case if the offence warrants.
There's a lot of cynical pisstaking going on that is being given dubious benefit of the doubt as 'honest mistakes', and it really does need reigning in.
While I agree with the sentiment of most of the above posts...
... I don't see such a big problem with fining private companies for data security breaches. If a private company has kept bad security and/or sold private data to other parties, chances are that the shareholders also profited from it. A fine consisting of a % of the company's value would drive home that the shareholders are responsible for the people they approve as CEOs and managers. Of course, said CEOs should also be fined, but if the shareholders get scott free they'll get no incentive for doing things better the next time, and will hire similar scum again for the position.
Re: While I agree with the sentiment of most of the above posts...
And I agree with you (up to a point, Lord Copper). But, like it or not (and I don't), 90% of shares in publicly traded companies are held not by individuals, but by faceless corporate investment operations. Unless you're Bill Gates or Warren Buffet, individual shareholders have about as much control over the management of a company as the average Catholic does over the running of the RC church. If you don't like it, you can leave, and that's about it.
Directors, on the other hand, have a direct say in the appointment and remuneration of senior officers and are in a position to dictate policy. They get well paid for their responsibilities, and it's about time they faced up to them.
Use the fine to help them become compliant
For my money, the ICO should get the power to appoint an auditor/advisor to oversee data breach offenders, helping/forcing reforms until they are compliant. Ideally a similar model to the court appointed auditor that Apple are fighting tooth and nail with at the moment.
If a company can shrug off £500K fines, perhaps an independent government employee doing rigorous penetration testing of their networks should send the requisite shivers down spines, especially when they realise the auditor could stumble across more naughty activity that they'd have a legal duty to report. As an added benefit the Directors would get a first hand taste of how important it is to protect data.
Re: Use the fine to help them become compliant
"the ICO should get the power to appoint an auditor/advisor to oversee data breach offenders, helping/forcing reforms until they are compliant. "
They already have powers of compulsory audit:
Re: Use the fine to help them become compliant
That puts the practice of fining government agencies into a whole new light. I previously thought they were trying their best with the tools available, but if they've had this capacity all this time...
Well done el Reg. You have identified the problem of how to secure justice when an organisation commits crime or poor practice or even improper practice.
Applying a fine seems fair but is it justice?
What justice can be served by fining an organisation money that goes to UK Treasury?
(My take: none, but it seems to satisfy a Brit tradition of inflicting harm on those who harmed and that is revenge, psuedo-revenge or revenge by proxy NOT justice).
For a publicly funded body there is no justice served if the public are further denied and more poor service (and continued injustice) be maintained.
I am sure there is an answer and I am equally sure that Whitehall will seek to avoid that question and answers?
"Applying a fine seems fair but is it justice?"
There is a whole range of actions the ICO can and does take, of which fines are the end of the line, after audits, enforcement notices, undertakings and the like. What would you like them to do differently? Round up the guilty and have them beaten by special services blokes in balaclavas?
As for Whitehall avoiding the answers, the ICO have wrung an undertaking of compliance out of the Treasury Solicitor's Office for example, along with a fair number of police forces and health organisations, so I think they do a reasonable job of holding government to account without fear or favour. The ICO only issue fines where they feel the seriousness or repeated nature of an offence merits it, and that seems emminently reasonable.
Fines aren't about justice -- that is what prisons are for. Fines are about deterrence -- make it cheaper to comply with the law than to break it.
Fines do not justice make.
Justice is better served if the perps acknowledge their crime and seek not to do it again AND the offended parties are made to feel the injustice has been righted.
Funny how section 55 was not implemented. I wonder how much effort the Minister would need?
For some reason the line from the old Mel Gibson movie "Payback" comes to mind.
"When you go high enough it comes down to just one man."
When it's their a**e that's going to do say 6 months for each persons data that goes astray you can bet things will get a lot tighter.
We should use a carrot & Stick approach.
Promise the Data Controllers a fat bonus if they get through a year with no cock-ups. But also make it clear that they are out of a job for the slightest mistake.
It is not the mistakes that bother/worry me, it is the deliberate actions taken to avoid the requirements of the DPA . Such as the data sold from the hospitals being de-pseudoanonymised, deliberately, in order to put a name to the data.
Although many have pointed out the method of anonymisation seemed to have been chosed so that it COULD be associated with the original person!!
No need for more in the public sector. It's other people money anyway. The public humiliation is a more motivating factor than the loss of cash.
Private sector should have a % limit. £500k is pocket-change to some of the big boys
Fines don't work - you have to make PEOPLE responsible
And you begin at the top. The executives and managers get paid large salaries for a reason. You kick *THEM* hard, not the poor bastard on the ground. Punish from the top down (including sacking barring from public duty/office) a few times and you can be sure executive -> managers -> team leads -> workers will ensure that processes exist, enforced and continually improved.
Fines do not work.
Sacking underlings does not work.
Once adequate processes exist, only then can you begin to target the lower echelons.
Re: Fines don't work - you have to make PEOPLE responsible
Rather than pay damages to the people affected by injustice the system hopes to pull a flanker by paying a fine to UK Treasury thereby denying justice and keeping money in Treasury accounts no?
No review of punishments for misuse of our data?
Have I misunderstood the article or does it really say that the current government review of the penalties is only about the penalties for stealing the data, not the penalties on data controllers for losing or misusing the data? This seems to be about increasing the punishment for the evil hackers instead of increasing penalties for those who do not apply sufficient care to protect our data or (worse) deliberately misuse the data.
- Just TWO climate committee MPs contradict IPCC: The two with SCIENCE degrees
- 14 antivirus apps found to have security problems
- Feature Scotland's BIG question: Will independence cost me my broadband?
- FTC to mobile carriers: If you could stop text scammers being jerks that'd be just great
- Apple winks at parents: C'mon, get your kid a tweaked Macbook Pro