UK business can learn a lot from the first financial penalties for data protection failures imposed by the Information...
Commissioner's Office (ICO), says a data protection lawyer.
The ICO imposed penalties on the Hertfordshire County Council of £100,000 for twice misdirecting faxes and on employment services company firm A4e of £60,000 for failing to encrypt 24,000 personal records on a stolen laptop.
According to Stewart Room, partner at law firm Field Fisher Waterhouse, the first lesson to be learned is that the ICO will punish low-level business-as-usual failures.
"Failure to encrypt personal data and to ensure electronic communications are sent to the correct recipients has been highlighted repeatedly by the ICO since 2007," he said.
The first financial penalties, like much of ICO action, focus on systems and operations.
"HCC was punished because it failed to prevent misdirected communications from happening a second time," said Room.
The ICO expects all organisations to have an incident response strategy to data protection failings that includes preventing them from happening again, he said.
There was also an operations failure at A4e, because despite having a policy to encrypt personal data, a laptop, which was later stolen, was issued without encryption.
"This tells us the ICO considers encryption as a mandatory privacy-enhancing technology," said Room.
It also shows that the ICO will hold organisations liable for the acts of criminals if they have not taken adequate steps to protect personal data.
The first financial penalties finally highlight the breach reporting dilemma, because HCC and A4e were punished despite notifying the ICO of the data breaches.
However, Room believes that the penalties would have been much higher if the organisations had not demonstrated a willingness to do the right thing.
"Punishment despite good behaviour also demonstrates the ICO's policy of zero-tolerance for such low-level failings," he said.