Businesses have one week to limit risks of new ICO powers

Nearly two-thirds of London city workers are unaware that businesses can be fined...

Nearly two-thirds of London city workers are unaware that businesses can be fined up to £500,000 for serious data breaches after 6 April, a survey has revealed.

The fines are part of new powers granted to the Information Commissioner's Office (ICO), but 65% of those polled by security firm Cyber-Ark Software did not know of the changes.

Organisations with gaps in their data security systems could be in for a nasty surprise when the ICO hits them hard, says Stewart Room, partner at law firm Field Fisher Waterhouse.

Relatively few organisations seem to be taking the changes seriously, but the first ones to be hit by the new fines will suffer not only financial loss, but huge damage to reputation, he says.

"This is about naming and shaming and will be big news when it happens. The consequences are likely to include the sacking of scapegoats, who will be hung out to dry," says Room.

Despite this, the message is not getting through to many boards, with many top level executives claiming they have not been warned of the changes, he says.

Unwillingness to ask for help because of fears about job security, a lack of understanding of computer science, and the fact that many IT security professionals do not have a voice at board level, are all possible contributory factors.

But, says Room, the good news is that it is still not too late for organisations to take steps to limit the risk, which could save their organisations huge losses.

"Even if organisations have left it to the very last minute, they should still make a start because if they can show they are keen to embrace the right side of the law, they will have some defence and will not go down in flames as they might otherwise do," he says.

Creating a managerial committee responsible for making behavioural changes to comply with data regulations would be a "brilliant thing to do" in the coming days, says Room.

The ICO has advised in guidance on the new powers that it will consider what steps an organisation has taken to prevent data breaches.

For this reason, the first area that boards must look at before the new ICO powers come into force is their systems for dealing with emergency situations, says Room.

"They should not spend time on peripheral issues, but go to the heart of the issue and create a system to deal with data breaches, because that is what the ICO will look at first," he says.

Any board with its back to the wall could convene an emergency meeting and come up with a system for incident response in a day, says Room.

This will give lawyers at least one defence in the event of a data breach, he says, as they can argue that the organisation has demonstrated a willingness to make the changes to comply with regulations.

Room believes the new power will change the dynamics of how UK organisations operate in terms of data handling.

He believes further changes will come if the next government is Conservative because they are likely to tighten regulations because of the party's position on transparency.

Room predicts that although litigants rarely sue for data security nowadays, this will become a big industry in the UK in 10 years' time.

"After accidents, data security will be the next area to go litigious," he says.

Read more on IT risk management