UK data watchdog: Massive fines won't keep data safe The UK’s data protection watchdog has said issuing fines "left, right and centre" is not the way to ensure privacy. However, Information Commissioner Christopher Graham added that this doesn’t mean his office shouldn’t have those exact powers at its disposal. “The obligation laid on data protection authorities always to fine …
"We want the ability to not fine someone quarter of a million if they actually spend half a million beefing up their security and start taking it seriously, because otherwise management might decide that if they're going to get fined anyway and can't avoid the bad PR they might decide not to bother with better security"
That's how it reads to me. (And yeah, seems sensible)
Fines are never the answer. Most executives are at a company so short a time that they don't care about the company, whether it survives or financially viable. They're there top make a few quick bucks and then move on. So, if they get away with it and don't get caught, more money for the bonus pot. If they do get caught, worse case the company disappears and you move on. It's a win/win situation for execs.
The only solution is to make them personally responsible, with serious personal fines and jailtime. Take away plausible deniability and make them demonstrate exactly why they're not liable rather than prove they are. Make them prove they did enough. Then, execs might start taking this stuff seriously.
They're paid a lot of money for the responsibility they supposedly carry. However, in reality there isn't really any responsibility. So, let's make them responsible and earn their money.
Unfortunately there are so many inept CEOs and corrupt politicians that it's extremely rare to hold the CEO accountable for anything though they certainly should be. If Bill Gates, Tim Cook and other corporate criminals went to prison for 35 years as they should for their crimes, then we'd see CEOs take their jobs and security much more seriously. Otherwise they just pay lip service to security and corruption.
Fines are never the answer
They're not the answer but if they're big enough and often enough they might be enough to prevent people cutting corners short term. What I'm saying is they're not going to suddenly secure every system in the country but they might help drive investment in competent persons and stem the security brain drain and outsourcing.
Fining corporates bodies is pointless (unless the fines have 10 digits), particularly publicly-owned bodies. Make the directors personally liable. A few cases of bailiffs towing away Bentleys and confiscating the title deeds to the agreeable villa in Tuscany might persuade some of them to start taking security seriously.
The directors take great pains to remove their liability for misdeeds. They act in broad: one step removed. Pinning the blame on them would be like trying to pin the tail on a runaway donkey.
There are established mechanisms to deal with that: for example you can use the Health and Safety at Work Act as a template in that regard. Directors are personally (and criminally) liable for any breaches of the act within their company. They can't wriggle out of it and transfer the responsibility on to someone else, in fact attempting to do so is itself evidence of guilt.
However, it doesn't matter what they do, in any company of a few thousand people there is always going to be plenty of stuff going on that the directors are completely unaware of: if two junior staff decide by themselves to develop a "more efficient" way of work that is unsafe management do not necessarily hear about it until it is too late. Their only effective defence in such a case is to point to procedures they have in place: for example that safe working practices have been determined and staff have been trained in their use, that relevant equipment is provided and in appropriate condition, that regular health and safety audits are carried out, and there is a well defined whistle-blowing mechanism to raise issues that still crop up. If you can show all this the courts take a reasonable view - you did everything practical to ensure the workplace was safe but shit happens, therefore no guilt attaches to you as a result of this accident.
There is no reason in principle data protection could not be similar. I'm not entirely convinced about criminal liability - calling for that to me always sounds like vindictiveness after the event, and putting too much control at the very top is also putting that control into the hands of non-specialists - but I'll leave that to one side. I think (hope) this is the point the ICO are trying to make - the fact there is a breach should not necessarily lead to a sanction. If there was gross negligence and sloppy practices then sure, fine them and fine heavily. If on the other hand you can point to solid procedures in place to protect data and that they are subject to regular review to keep them current, but still have a breach falling in to the "shit happens" category, perhaps that should be viewed as an opportunity for review as to how defences can be improved in future.
I agree - the problem with the ICO is that the fines are a joke for most major offenders.
I doubt Sony would have noticed £250k as anything other than a rounding error in its corporate accounts.
For some, small, businesses, the fines can be painful, but on the whole they just wind up the company and start again. It all boils down to the cost of doing business.
If we use Staysure as an example, the ICO fine averaged about £1.50 per record breached. In 2012 Tetrus telecoms was fined for selling records at a reported £5 per record. This implies that each record is worth a reasonable sum to companies and the fines for mishandling are off-kilter.
What the ICO needs to do is make company directors / CEOs personally responsible for data in their organisation and send them to jail if they deliberately cut corners and get breached. I dont mean a mandatory jail sentence, but it should be an option to prevent "cost of business" decisions.
How about a fine that directly funds someone elses job.
Leaky data, Pays a contract for a security consultant?
Dirty hospital, pays a contract for a cleaner?
Corrupt bank, pays a contract for an auditor?
Corrupt copper, pays a contract for legal advisor?
Crap school, pays a contract for teacher training?
Keeps the money going round, maybe gives a few real people some real jobs, and gets the problem directly addressed?
If the government passes laws to mandate the inclusion of back-doors in all encryption systems then nothing will keep data safe - and having a watchdog will be pointless and a waste of money. It's like installing a state of the art security system and then leaving the key under the flowerpot.
The most effective solution to prevent data breaches etc. is simply not to store it in the first place. Some data is required of course, but huge amounts of data, not really required, are kept by most businesses. How many companies have got records going back decades? How many know far more about you than is really required to perform their business? A lot.
If you don't have the data, you can't leak it!!
Many companies actually go out of their way to obtain more and more data about people without having any real idea of its value or what they're going to do with it. The view is, the more data they have on a customer, the most useful it MIGHT be in the future. Much of it proves not to be, but is a big leak risk.
"The view is, the more data they have on a customer, the most useful it MIGHT be in the future."
It's the "save it for a rainy day" attitude. The LAST thing they want is to learn that something obscure can be turned into the Next Big Thing...only to learn they stopped collecting the stuff a long time ago. For them, the opportunity cost of keeping things for a rainy day (even with the risk of a breach) is less than missing out on the Next Big Thing, which could be an existential threat if they're not in on it. Since they're up against an existential threat, the only thing that will shake them is another existential threat, only more likely. Trouble is, threatening something like that can bring collateral damage just from the threat.
The problem isn't the fine, the problem is the fine isn't big enough. £250k is *nothing* to Sony. It won't even register. Simply fine £1,000 per breach. Millions or user details lost? Yeah, that fine *WILL* hurt.
In fact, that fine would be so large that the likes of Sony might actually start to give to shits and implement decent security.
Then again, we are talking about a company that thinks it's perfectly OK to launch a global cyber attack against its own customers.
Token fines don't dissuade any crim be it a CEO or hacker. Serious fines and prison time however will deter many. When you fine Microsucks 1.5 billion, it don't mean nothing to them. Bill spends that amount on lunch. If however you fine them a hundred billion, now you've got their attention and that of their stockholders who are going to lose their dividends and stock value from the crime and the fines.
Sending CEOs to prison will also make a huge change in the ideology of most corporations. As it stands now a CEO can allow his company to perpetuate all sorts of criminal activity or be grossly negligent in security and never suffer any personal punishment. The company gets a small fine that routinely doesn't even relate to the profits generated from their crimes or the damage done to their customers.
But the thing is, they can reasonably argue that they weren't personally responsible for the actions of those underneath them. It's part of how the corporate hierarchy works: each higher level only knows the activities of the lower ones in broad. That's why they're structured the way they are: the specialists are supposed to be doing the actual nitty-gritty. Doing what you demand would force the structure to becomes micromanagers, and people tend to hate micromanagers.
This combined with an "innocent until proven guilty" legal standard means the only way you can nail the executive is to pin them to a specific crime, and having an underling ruin things isn't a crime unless you can prove they knew what was going on, which they can just deny and the other executives swear by the lie.
I see a worrying trend here. Much like crooked banking, we'll soon have 'deferred prosecutions' along the lines of: Please don't fine us, let us put the same amount into our tech infrastructure instead...
But the truth is corporations are being behaving badly by repeatedly requesting and storing information they have no right to, just in case they can think of ways to monetize it or sell it down the road. Take the Reg article below for example.
What data regulators should be doing is auditing more companies and insisting on the mass purging of 'our data'...
______________________________________
"Security expert Troy Hunt has taken a look at what mobile apps collect to send home to their owners, and isn't impressed: even PayPal is still addicted to invasive habits....they’re obtaining data from me that I had absolutely no idea about”.
http://www.theregister.co.uk/2015/04/26/app_makers_youre_still_doing_security_wrong/
The company, its executives, the members of its board.
That should make it easier to do the right thing.
Best part is, it doesn't require the government to make that happen. Just some strategically placed mis-routing buried so far in the system that it will take them decades to sort it out.
The excuses...
"We are not IT experts"
Then... "ICO are not IT experts and we lack the power to fine"
Then... "ICO are not IT experts and have the power to fine, but the fines are not big enough to make it worth bothering"
Then... "ICO are not IT experts and have the power to fine, and the fines are now big enough to hurt offenders, but we are still not going to do it because it might hurt offenders"
And now they wonder why, despite 97% public awareness of data protection, only 1% of respondents would bother complaining to the ICO when a data protection offence occurs.
The ICO are absolutely pointless. The truth is there is effectively no data protection in the UK at all. It doesn't matter what the law says any more. Doesn't matter what you think your rights are. No regulator will protect you. No law will be enforced.
Do not trust the ICO to defend your privacy rights against crooks. It never happens.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
