One of the interesting points somebody made earlier on this week was about the difficulty individuals face in this country, if they feel so inclined, to claim damages against an organisation under the terms of the data protection act. The point was explained as follows:
Individuals can sue under the DPA BUT
a) The data subject must prove damage AND
b) The data processor can defend this lawsuit on the basis that they tried to comply with the rules AND
c) How much money will they win anyway?
There are many sources of reference warning organisations of the punitive fines that could be levied against them in the event of a breach of personal data. However, unlike in America where your personal feelings of being violated in the event of your data being stolen could result in the award of a decent retirement fund; here in the UK, the judge is more likely to tell the plaintive to grow up, stop whining and provide a DNA sample on the way out. In fact, when Liverpool city council were fined recently for the henious act of failing to comply with an information notice from the Information Commissioner’s Office (another government agency), do you know how much they had to pay? Have a guess. £300. Our American friends wouldn’t even have woken up, let alone gotten out of bed for that one. So, what chance a private prosecution for a data breach?
The question is, does that mean we don’t need to be so concerned? I’m ashamed to have even asked the question, because if you don’t know the answer then I hope none of my data is on any of your systems. If we’re charged with the responsibility of looking after personal data (as defined by the DPA) then we have a responsbility to do our utmost to be reliable guardians regardless of whether or not the chap in the wig is going to make us dig into our pockets if it’s compromised.
There’s our own reputation to think of too. Data breaches cost more than just legislative penalties – they hit share prices and they hit investor confidence. See my earlier blog entry here for more information about how much.
The point I want to make applies also to PCI, SOX, HIPAA, and any other of the multitude acronyms that we have to contend with these days. Why are we doing the work for them? To be compliant you will reply. Wrong answer – go to the bottom of the class. The correct answer is because we desire to mitigate risk and implement a decent set of controls and above all do the right thing. If we were already doing that then the legislators wouldn’t need to bother with us, and could go and pick on somebody else, and PCI would stand for something else completely.
So, the message is to continue striving to achieve the standards required of regulatory compliance but do it because you want to achieve a decent level of maturity in terms of information security rather than just to put the ticks in the boxes.