Half a mil? You gotta be kidding
10% of worldwide turnover (at least), doubled for repeat offenders. Then it will be fine. Prior to that it is the cost of doing business so who cares.
The UK government should consider raising the level of fines that the Information Commissioner's Office (ICO) can impose on organisations that breach the Data Protection Act (DPA), an expert has said. Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that a previous increase …
We don't need to fine council's and such huge amounts of money. They don't care - it isn't theirs. No - what we need is to fine the *people* responsible (operators, CEO's etc) much *smaller* amounts of money, so they actually feel it personally. Mind you, trying to find out who *is* responsible in a council is nigh on impossible these days....
If you fine governmental bodies, you're just moving numbers from one column to another, or (at best) fining taxpayers. If you fine corporate bodies, you're really fining employees/customers/shareholders - there are no other options - none of which are likely to have had any direct responsibility for the breach.
If you want to do something effective, make directors (or their equivalent for government bodies) personally liable. Confiscate their Bentleys, make them sell their agreeable second homes in Cornwall/the Algarve. That will get people's attention, I guarantee. Of course, the fact that our legislators are all looking forward to such cushy numbers means this is very unlikely to happen.
Exactly what I was thinking.
Start making somebody responsible.
Fine the company, so they don't just make the position expendable. Put a 5 year ban on the responsible director / supervisor and a hefty fine to that person.
That should make people take security somewhat more seriously. A little personal touch.
@Chris Miller: Although fines do, indeed, end up paid by customers, they do have a very material effect on the company. In particular, if fines are heavy enough, they don't end up being paid at all: they cause a change in behaviour (which is what we want to achieve) because good behaviour becomes much the lower cost (thus maximising the shareholders' benefit).
that an entity breached the data protection act on purpose for self gain, the directors/owners of that entity cannot be trusted and should be fined, black listed and NOT allowed to direct/run any other entity that handles personal data ever again.
If the breach was through incompetence or accident and unintended, punishment will not necessarily help that entity secure its systems. Security costs money and fining an entity just adds more cost and potentially more problems as corners may be cut to meet the expense of the fine.
Compulsory training paid for by the entity at fault is more likely to produce positive results than financially punitive measures.
Many things are various shades of grey there is no right or wrong way to proceed. Dishonesty and honesty are diametrically opposed and in such an instance it *IS* case of black and white, right and wrong.
"If it can be proved ....."
Establishing the guilt of directors, or even the corporation itself requires the prosecution to establish vicarious liability under UK law, which means proving they knew. If you can't show they knew, both corporation and directors aren't guilty, even if their officers are. This might be why News International and its scumbags are busy claiming they didn't know about phone hacking. A cynic might also presume this is why so much of the email evidence mysteriously got deleted to save disk space, and why laptops found their way into ponds and bins.
To change the rules of vicarious liability would be a very far reaching reform of law and won;'t happen in my view. However, the ICO specifically don't levy legal fines, they issue civil monetary penalties, and that's how they avoid having to prove liability in court. There is a quasi judicial appeal route, but that has additional costs and risks, and the business still has to pony up the cash until and if the appeal tribunal determines it should be reduced or repaid.
The interesting thing is that ICO can already levy monetary penalties on "natural persons" (ie individuals) as well as a "legal persons" (ie organisations). In this respect the ICO have the power to "fine" individuals already, they appear generally choose not to use this power. So it seems to me that the ICO need to use their existing powers more precisely to target individuals, as well as having the ability to fine larger organisations more (so that the likes of Google, BT/Phorm et al) would be suitably admonished if caught breaking the rules.
Fines (especially at this level, for multinationals) are as the article says "a drop in the ocean". However no matter what level fines are set at, they still only get paid by the organisation as a whole - or more likely: by the shareholders or tax-payers who ultimately suffer the loss. They don't punish the individual who was responsible for security and who made (or failed to make) the decision that led to losing data that other people had entrusted to the company. Since it's individuals who get the rewards, it's reasonable that they should be held to account for their failures.
If you really want to focus the attention of the people in charge, jail time is required.
The spotlight should start at the top of the organisation, and only move down to lower-ranking named individuals if or when it can be shown that the person in question could not have influenced, made, or reversed choices that led to an insecure IT operation.
There is already an offence called Misconduct in Public Office which can carry a heavy sentence. Maybe all that's needed is to extend this and (like with pretty all existing laws) simply start to use it, rather than create even more new laws.
Where it is clear that an individual acting for a business has made a deliberate choice to misuse either data the business holds, or data aquired elsewhere, not only should the business be fined, but those making the relevant decisions should be held personally liable and prosecuted, with a large fine if found guilty, or in the worst cases a custodial sentence. Perhaps it'll be harder to be glib about cynically exploiting others if the cost of getting caught is paid very personally rather than by your employer.
The current limit on fines limits their effects soley to smaller businesses; beyond a certain point its merely 'the cost of doing business. They should reflect the company's turnover and global reach, and in the most eggregious cases should be unlimited in any case if the offence warrants.
There's a lot of cynical pisstaking going on that is being given dubious benefit of the doubt as 'honest mistakes', and it really does need reigning in.
... I don't see such a big problem with fining private companies for data security breaches. If a private company has kept bad security and/or sold private data to other parties, chances are that the shareholders also profited from it. A fine consisting of a % of the company's value would drive home that the shareholders are responsible for the people they approve as CEOs and managers. Of course, said CEOs should also be fined, but if the shareholders get scott free they'll get no incentive for doing things better the next time, and will hire similar scum again for the position.
And I agree with you (up to a point, Lord Copper). But, like it or not (and I don't), 90% of shares in publicly traded companies are held not by individuals, but by faceless corporate investment operations. Unless you're Bill Gates or Warren Buffet, individual shareholders have about as much control over the management of a company as the average Catholic does over the running of the RC church. If you don't like it, you can leave, and that's about it.
Directors, on the other hand, have a direct say in the appointment and remuneration of senior officers and are in a position to dictate policy. They get well paid for their responsibilities, and it's about time they faced up to them.
For my money, the ICO should get the power to appoint an auditor/advisor to oversee data breach offenders, helping/forcing reforms until they are compliant. Ideally a similar model to the court appointed auditor that Apple are fighting tooth and nail with at the moment.
If a company can shrug off £500K fines, perhaps an independent government employee doing rigorous penetration testing of their networks should send the requisite shivers down spines, especially when they realise the auditor could stumble across more naughty activity that they'd have a legal duty to report. As an added benefit the Directors would get a first hand taste of how important it is to protect data.
Well done el Reg. You have identified the problem of how to secure justice when an organisation commits crime or poor practice or even improper practice.
Applying a fine seems fair but is it justice?
What justice can be served by fining an organisation money that goes to UK Treasury?
(My take: none, but it seems to satisfy a Brit tradition of inflicting harm on those who harmed and that is revenge, psuedo-revenge or revenge by proxy NOT justice).
For a publicly funded body there is no justice served if the public are further denied and more poor service (and continued injustice) be maintained.
I am sure there is an answer and I am equally sure that Whitehall will seek to avoid that question and answers?
"Applying a fine seems fair but is it justice?"
There is a whole range of actions the ICO can and does take, of which fines are the end of the line, after audits, enforcement notices, undertakings and the like. What would you like them to do differently? Round up the guilty and have them beaten by special services blokes in balaclavas?
As for Whitehall avoiding the answers, the ICO have wrung an undertaking of compliance out of the Treasury Solicitor's Office for example, along with a fair number of police forces and health organisations, so I think they do a reasonable job of holding government to account without fear or favour. The ICO only issue fines where they feel the seriousness or repeated nature of an offence merits it, and that seems emminently reasonable.
For some reason the line from the old Mel Gibson movie "Payback" comes to mind.
"When you go high enough it comes down to just one man."
When it's their a**e that's going to do say 6 months for each persons data that goes astray you can bet things will get a lot tighter.
It is not the mistakes that bother/worry me, it is the deliberate actions taken to avoid the requirements of the DPA . Such as the data sold from the hospitals being de-pseudoanonymised, deliberately, in order to put a name to the data.
Although many have pointed out the method of anonymisation seemed to have been chosed so that it COULD be associated with the original person!!
And you begin at the top. The executives and managers get paid large salaries for a reason. You kick *THEM* hard, not the poor bastard on the ground. Punish from the top down (including sacking barring from public duty/office) a few times and you can be sure executive -> managers -> team leads -> workers will ensure that processes exist, enforced and continually improved.
Fines do not work.
Sacking underlings does not work.
Once adequate processes exist, only then can you begin to target the lower echelons.
Have I misunderstood the article or does it really say that the current government review of the penalties is only about the penalties for stealing the data, not the penalties on data controllers for losing or misusing the data? This seems to be about increasing the punishment for the evil hackers instead of increasing penalties for those who do not apply sufficient care to protect our data or (worse) deliberately misuse the data.