That'll learn 'em. If only our own Information Commissioner could have his teeth sharpened to a point like his Korean counterparts.
Korean credit card companies hit with 90-day, $100m sales ban
Three South Korean credit card firms which are thought to have exposed the personal data of 20 million customers have been forced to suspend all new business for three months in a blow which could cost them nearly $100 million. Korean regulator the Financial Services Commission (FSC) said the firms were not allowed to sign up …
-
-
-
Thursday 20th February 2014 09:07 GMT Anonymous Coward
taxing the public
As far as I'm aware he can't. The law says the organisation is responsible - so yes - fining the public sector is taxing the public and/or victimising those it serves. He might just be able to name and shame people but even that is dangerous ground.
A more personal orientated law such as a more moderate form of individual liability would maybe work (so like health and safety but leading to civil rather than criminal action maybe). However I'd like that really to recognise the difference in public versus private sector incentives and obligations somehow.
-
Thursday 20th February 2014 15:46 GMT TrishaD
Re: taxing the public
I like the Health & Safety analogy. Corporate H&S works pretty well because senior managers become responsible in law.
Many years ago, a new Head of Data Centre was parachuted in from the US to run the site I was working at. I got an appointment with him to discuss Health & Safety. The conversation went...
Him: 'Why do I need to know about this stuff - we've got lawyers to deal with it'
Me: 'In the UK its criminal law and you could go to prison'
Him: 'Tell me about this stuff'
Management dont make coding errors for sure, but they are responsible for their staff and providing the relevant budget to put appropriate controls in place.
There really does need to be some sort of personal liability associated with Data Protection.
-
Friday 21st February 2014 12:03 GMT Intractable Potsherd
Re: taxing the public @ TrishaD
"I like the Health & Safety analogy. Corporate H&S works pretty well because senior managers become responsible in law."
Yes, it is a nice thought, but look at the ridiculous over-reach of H&S in the workplace and everywhere else, much of it because people are taking a "no way anyone is going to get me for anything" attitude. The creation of the offense of Corporate Manslaughter has fuelled the rise of the H&S monster to the point where personal responsibility for large chunks of one's own life is a mere fading memory, costing billions of £s each year, and making things stupidly inefficient.
Applying the same principles to DP will lead to nothing new being done, just lots of tweaks to address the merest possibility of maybe sometime happening, and systems becoming effectively impossible to use. How often are you told (wrongly) that something can't be done "because of Data Protection", which means your life just got more difficult? The cost of this attitude is externalised to you and me, and will get worse with serious penalties at the board level.
I want an effective Data Protection watchdog, and I love the idea of making commercial organisations *really* hurt when they are in breach, but I have a horrible feeling that the public sector is effectively invulnerable.
-
-
-
Thursday 20th February 2014 09:08 GMT Anonymous Coward
If only our own Information Commissioner could have his teeth sharpened to a point like his Korean counterparts.
That's more a political decision. For the moment, the ICO has to make to with pre-wetted noodles to give wrist slaps, which IMHO does more to ENCOURAGE abuse than to stem it, so hats off to the South Koreans here. That sort of fine would even slow down Google.
But what punishment would the ICO give to all the public sector organisations found breaching data protection?
This is where it gets interesting. In my opinion, data loss must move into criminal law and a way must be found to identify the top person in the chain who takes the decisions - a bit like tax evasion eventually becomes personal. That way, you can eventually sling someone into jail if they're not paying attention. I agree with what appears to be your thinking: a financial punishment will not work because it's not their money to start with, but the taxpayer's, so it would just be a budget reshuffle. Maybe we could start with a public naming & shaming? Maybe even tar & feathers?
-
Thursday 20th February 2014 09:22 GMT DavCrav
"This is where it gets interesting. In my opinion, data loss must move into criminal law and a way must be found to identify the top person in the chain who takes the decisions - a bit like tax evasion eventually becomes personal. That way, you can eventually sling someone into jail if they're not paying attention."
So, do we sling in jail the head of the organization, who knows nothing about programming? The person who left the XSS vulnerability in the website design? Perhaps the head of the company that did the outsourced web site design? Somebody over at Mozilla and Microsoft for leaving the vulnerability? Much as it might seem fun to throw Ballmer in jail for all security vulnerabilities in Windows, you might find it difficult to get people to take on public sector work, particularly at the coding level, if you offer a nice juicy time in the slammer if they make a mistake.
-
Thursday 20th February 2014 11:28 GMT Anonymous Coward
you might find it difficult to get people to take on public sector work, particularly at the coding level, if you offer a nice juicy time in the slammer if they make a mistake.
The idea is to move the punishment up the management chain to where the decision was actually made - invididual or groupwise. A coder just codes, but if management demands a certain level of quality and compliance because their own damn skin is involved it can only be good, and may get rid of the current lowest-bidder culture.
-
Thursday 20th February 2014 11:49 GMT Neil B
Without the know-how or experience to personally prove that their demands are being met, all they'll do is out-source it to people who *do* have the know-how and experience, and those are the people that will get it wrong.
Trying to push for personal liability (and jail time, of all things) in such areas is nutty. Privacy breaches are most often the results of mistakes, bad policy, or sheer laziness. Such things might be annoying, but they're hardly criminal. If they were we'd all be locked up at some point in our lives.
-
-
Thursday 20th February 2014 21:00 GMT Tom 13
@ DavCrav
Back in WWII there were problems at shipyards with subs going out to trials and never coming back even though they hadn't been through enemy territory. I think they managed to retrieve one such sub and found the root cause was bad welds. So the military instituted a lottery system. Each welder who worked on a sub had his name put in a hat. One name was drawn from the hat and that person went to see on the maiden voyage of the sub. They very, very, very rarely had issues with welds after the welders lottery was implemented.
In your particular example, I don't see any good reason to limit to one individual. Each of them played a part in it and shares in culpability. Let the chips fall where they may. Or heads as the case may be.
-
-
-
-
-
Thursday 20th February 2014 09:57 GMT Anonymous Coward
overdone?
While, at first sight, I might applaud, on reflection: this might make them go under, i.e. the stream of customers, more or less steady until now, stopped so abruptly, will not just resume flowing after 3 months. Customers will have found alternative suppliers in these 3 months, and won't just come back when this company resumes their business, unless they discount heavily...
That said: how do all those NEW ventures ever begin? From scratch (sometimes).
-
Thursday 20th February 2014 11:25 GMT Pascal Monett
I bow before the judicial system of such a country.
Doing that around here would generate an avalanche of protests citing "exceeding authority" or "unconstitutional" and a flood of media spin in favour of the bank subject to punishment.
Remember, our banks are "too big to fail", therefor untouchable even when they patently do wrong.
And yes, I do happen to think that it is the CEO that should go to jail for grave mistakes made by personnel HE IS RESPONSIBLE FOR. But I understand that "responsibility" is nothing more than an entry in the dictionary these days.
-
-
Thursday 20th February 2014 21:10 GMT Tom 13
Re: mixed feelings about this...
So long as they are the right employees, I don't have a problem with that.
A long time ago I worked at a company where the receptionist kept her password on a piece of paper under her keyboard. Every year we went through the standard it security training which included the bit about not keeping your password on a piece of paper under the keyboard. Everyone on the Help Desk team at one time or another made it a point to raise this issue with her. She stubbornly responded: "There's nothing in my files that's important to anyone and I don't have anything personal on the computer."
-
Friday 21st February 2014 09:56 GMT Anonymous Coward
Re: mixed feelings about this...
She stubbornly responded: "There's nothing in my files that's important to anyone and I don't have anything personal on the computer."
Our staff contracts (and inductions) make it VERY clear that we take security serious - this receptionist would be on probation after her first violation, and terminated after her second. We've already made security as easy as it can be (our own observations are that complexity prompts people to seek a way around it), but we have extremely tight legal obligations to meet, and very high client expectations.
And HR would be asked to explain how we got such a person in the first place...
-
Friday 21st February 2014 16:23 GMT Tom 13
Re: HR would be asked to explain how we got such a person in the first place...
She was a very early hire with the company. And excluding the security violation the most competent receptionist we had. When she did retire the roulette wheel of receptionists began and we never again had one who matched the rest of her skill set. She was also a very pleasant person.
I have scarier stories than that one. But I'd never post them on a public site, only tell them to friends during a board gaming session on the weekend.
-
-
-