Skip to content

Tougher penalty required on data loss?

Avatar

by

23/09/10 in Data loss | Identity Fraud/Theft |

We all know the statistics; the number of identity fraud victims is growing year-on-year and we all need to be vigilant when looking after our personal information.

  • What happens when personal information is lost, leaked or stolen?
  • Is it outside our direct control?
  • Who do we look to blame?

In the UK, the Information Commissioner’s Office (ICO) has said the number of incidents of loss or theft of personal data has risen to an ‘unacceptable’ level in the past year. The ICO reported 434 separate incidences of data loss in the past 12 months, a 57 per cent increase year-on-year.

"Unacceptable amounts of data are being stolen, lost in transit or mislaid by staff." 

Deputy Information Commissioner, David Smith, said: “Unacceptable amounts of data are being stolen, lost in transit or mislaid by staff. Far too much personal information is still being unnecessarily downloaded from secure servers on to unencrypted laptops, USB sticks, and other portable media.”Suitcase left on airplane

In order to do something about this the Ministry of Justice has proposed a maximum fine of £500,000 for a breach of the Data Protection Act from April 2010.

It is hoped the fine would reflect the importance the UK government is placing on safeguarding personal data. Justice Minster, Michael Willis, said: “The introduction of civil monetary penalties should contribute to increased compliance with the data protection principles and greater confidence for data subjects that their information is being handled correctly.”

CPP’s own research into the issue is interesting.

One in five employees don’t trust their own employers to protect their information at work and less than a third is satisfied with their own company’s security procedures. Shockingly, a quarter of employers admit to taking personal information out of the office, leaving personal information on their desks (19%), storing sensitive information on USB sticks (10%) and one in ten fail to shred employee personal information.

Most telling, and in line with the Government’s actions,  four in 10 employees want organisations to be fined for infringing on personal data protection. However, a quarter would go as far as having prison sentences for those who repeatedly put them at risk.

So, several questions arise here:

  • Firstly is the scale of a the ICO fine enough to make the protection of customer data a ‘board level’ issue – much like health and safety is today.
  • And is the fine proportional to the damage inflicted on those who have their personal information misused for fraud? 

The answer to both these is probably not.

  • Finally, what is the definition of ‘recklessly participate in the loss of private information’ that would trigger civil penalties against organisations?

Is it employees accidentally leaving laptops in taxis or on public transport, hackers accessing confidential files, sensitive waste left insecure, unencrypted hard drives and inadequate firewalls, or employees illegally selling customer data?

One thing is certain. In the future we will see more breaches of customer data putting more people at risk of identity fraud until the maximum civil penalty makes organisations wake up and take data security more seriously.

Be the first to comment

    • By registering your comment here you are agreeing to the CPP Blog code of conduct.

  • *All fields are required

In this section

Latest Articles

Popular Articles