Tougher penalty required on data loss?
We all know the statistics; the number of identity fraud victims is growing year-on-year and we all need to be vigilant when looking after our personal information.
- What happens when personal information is lost, leaked or stolen?
- Is it outside our direct control?
- Who do we look to blame?
In the UK, the Information Commissioner’s Office (ICO) has said the number of incidents of loss or theft of personal data has risen to an ‘unacceptable’ level in the past year. The ICO reported 434 separate incidences of data loss in the past 12 months, a 57 per cent increase year-on-year.
"Unacceptable amounts of data are being stolen, lost in transit or mislaid by staff."
Deputy Information Commissioner, David Smith, said: “Unacceptable amounts of data are being stolen, lost in transit or mislaid by staff. Far too much personal information is still being unnecessarily downloaded from secure servers on to unencrypted laptops, USB sticks, and other portable media.”
In order to do something about this the Ministry of Justice has proposed a maximum fine of £500,000 for a breach of the Data Protection Act from April 2010.
It is hoped the fine would reflect the importance the UK government is placing on safeguarding personal data. Justice Minster, Michael Willis, said: “The introduction of civil monetary penalties should contribute to increased compliance with the data protection principles and greater confidence for data subjects that their information is being handled correctly.”
CPP’s own research into the issue is interesting.
One in five employees don’t trust their own employers to protect their information at work and less than a third is satisfied with their own company’s security procedures. Shockingly, a quarter of employers admit to taking personal information out of the office, leaving personal information on their desks (19%), storing sensitive information on USB sticks (10%) and one in ten fail to shred employee personal information.
Most telling, and in line with the Government’s actions, four in 10 employees want organisations to be fined for infringing on personal data protection. However, a quarter would go as far as having prison sentences for those who repeatedly put them at risk.
So, several questions arise here:
- Firstly is the scale of a the ICO fine enough to make the protection of customer data a ‘board level’ issue – much like health and safety is today.
- And is the fine proportional to the damage inflicted on those who have their personal information misused for fraud?
The answer to both these is probably not.
- Finally, what is the definition of ‘recklessly participate in the loss of private information’ that would trigger civil penalties against organisations?
Is it employees accidentally leaving laptops in taxis or on public transport, hackers accessing confidential files, sensitive waste left insecure, unencrypted hard drives and inadequate firewalls, or employees illegally selling customer data?
One thing is certain. In the future we will see more breaches of customer data putting more people at risk of identity fraud until the maximum civil penalty makes organisations wake up and take data security more seriously.
Be the first to comment
In this section
This October saw members of the CPP team taking part in two community challenges to help local projects
In the space of about 24 hours, users of Last.fm, LinkedIn and eHarmony have been the victims of password theft,
Here are some helpful tips on how you can be careful with your personal information online and when mobile …
Social and professional networking sites are a great way of connecting with friends and like minded people. However
Identity fraud using information from social media
There are, apparently, over 500 million Facebook users worldwide
You’ve squashed a week’s worth of your belongings into a suitcase, rushed to the airport in the middle of the night,