Does the ICO have enough power to stop data breaches?
With two breaches of the Data Protection Act being reported this week, we ask some experts whether the ICO is doing enough to help prevent data losses in the UK?
"The growing number of high profile data breaches, the increase in the ICO's powers and the media coverage of these breaches, have ensured that the issue of data protection has not only become a board level matter for companies, but has also gained considerable public attention.
While the FSA and ICO have different remits and the ICO puts a heavy focus on working with businesses to ensure that steps are taken to stop data breaches happening again, sooner or later the ICO is going to have to use its fining powers in order to show it has teeth.
"A fine makes it very clear to the general public that a significant error has occurred and, although 500,000 may not be a significant amount to a large organisation, the surrounding publicity can potentially be more damaging. It is this that a majority of larger organisations will seek to avoid."
Peter Hall, partner in Wragge & Co's information law team:
"I don't think there is a lack of power now.
"I suspect it is the age old problems of any regulator really, that they've got a lack of enforcement ability, just in terms of actual manpower.
"The major fines [for data loss] have been delivered by the FSA rather than the ICO, so it does sort of signify a different mindset between the FSA and the ICO on these things in terms of how they approach those sort of data loss in the financial services sector.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"It seems to me the ICO tends to leave it to the FSA to wield the heavy stick a little bit.
"Maybe the position we're in at the moment with the ICO is that they're still being a little bit cautious about wading in with big financial penalties against companies. Whether that is the right or wrong approach, you could accuse them of being a bit lily livered."
Edy Almer, vice president of product management at Safend:
"Looking at the case of Zurich Insurance and the 2.2 million fine issued by the FSA, this shouldn't necessarily be seen as a sign that the ICO should raise their fines from the 500,000 maximum that they are currently able to enforce. The fines are already higher than the cost of implementing solutions to properly manage data security.
"If anything, the ICO should issue smaller fines and more often.
"If Europe and the UK do not start acting fast, there will be more instances of this kind and once it's out, the genie cannot be put back in the bottle."
Murray Pearce, director at Vigil Software:
"Although in these cases, fines have not yet been issued, the question has once again been raised on what impact the ICO's powers to fine up to 500,000 have had.
"Is the threat of higher fines alone enough to make organisations take action, or does the ICO now need to act on its new powers to set an example to the industry? Time will tell the full impact of these tougher penalties, but it's certainly true that compliance is providing the impetus for security projects to be approved, that would have been requested by IT managers anyway."
Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.
He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.