ICO to fine firms up to £500,000 for data breaches

Firms that incur serious data breaches could be fined up to £500,000 when new statutory guidelines come into force on 6 April.

Firms that incur serious data breaches could be fined up to £500,000 when new statutory guidelines come into force on 6 April.

Information commissioner Christopher Graham, said the penalties were designed as a deterrent and to promote compliance with the Data Protection Act.

Citizens are increasingly asked to complete transactions online. The state, banks and other organisations are using huge databases to store their personal details, he said.

"When things go wrong, a security breach can cause real harm and great distress to thousands of people," he said, adding he would not hesitate to act where organisations disregarded the law.

Jamie Cowper, director of European marketing at PGP Corporation, a data encryption firm, said 70% of UK firms admitted they were hit by at least one data breach last year.

"The cost of data breaches is already staggeringly high for UK businesses," he said. He said the average breach last year cost £1.7m, or £60 for each identity lost.

"If the ICO's bite turns out to be as big as its bark, this cost could exceed £2m," he said. "This is a huge expense at a time when businesses and public sector bodies can ill-afford to waste money."

Chris McIntosh, CEO at hardware encryption specialist Stonewood, said the move showed that government was starting to take data breaches more seriously.

But he said businesses faced too much confusing bureaucracy and red tape for data compliance to be effective. "Government needs to provide simple, straightforward legislation regarding the protection of personal data through encryption, as this is the only way to make sure that if data is lost or stolen, it cannot be misused if it gets into the wrong hands," he said.

McIntosh said it cost around £200 to encrypt a hard drive. "With the cost of a breach now anything up to £500,000 just in fines, it really is in everyone's interest to protect the data that they hold," he said.

The ICO said that before it fined firms it would consider the circumstances, including the seriousness of the data breach; the likelihood of substantial damage and distress to individuals; whether the breach was deliberate or negligent and what reasonable steps the organisation has taken to prevent breaches.

Who will be fined?

For a data breach to attract a monetary penalty the ICO must be satisfied that there was a serious breach that was likely to cause damage or distress, that it was either deliberate or negligent, and that the organisation failed to take reasonable steps to prevent it. Examples include:

  • Where an individual becomes the victim of identity fraud following a security breach of financial data by a data controller
  • Where an individual suffers worry and anxiety that his sensitive personal data will be made public even if his concerns do not materialise following a security breach of his medical record by a data controller
  • Where a marketing company collects personal data one purpose and then, without the individual's knowledge or consent, knowingly discloses the data to a third party for another purpose.

The full guidance can be downloaded from the ICO website.

Read more on IT legislation and regulation