The Information Commissioner's Office (ICO) has imposed the first financial penalties since gaining increased powers in April to fine organisations up to £500,000 for breaches of the Data Protection Act (DPA).
But the fines of £100,000 for the Hertfordshire County Council and £60,000 for employment services company A4e are nowhere near the maximum penalty.
The council was fined for breaching the DPA twice in two weeks, by faxing the details of a child abuse and a child protection case to the wrong recipients, and A4e for the losing a laptop containing the unencrypted details of 24,000 people.
Why did the ICO pick these as the first two organisations to go after, when bigger fines against more high profile organisations would have had more impact?
Setting an example?
Ed Macnair, chief executive of user management firm Overtis, says the fines appear to indicate the ICO has real teeth but, he says, in the case of the stolen laptop the penalty is less than £3 for each lost record.
"When you consider the fact that A4e is a £145m company, the breach has had a higher impact on the 24,000 individuals whose confidential information has been lost," he says.
But, Stewart Room, partner at law firm Field Fisher Waterhouse, believes these cases will become high profile in their own right.
"The status of the data controllers does not matter. These cases will be case studies for years to come and they are bound to attract international publicity," he says.
The ICO is likely to recognise, says Room, that it is not the identity of the controller than matters, but rather the publicity that a fine itself will generate.
The choice of organisations may not be as arbitrary as they appear at first, because Room believes the fining of the Hertfordshire County Council is a bold move in times of public sector cutbacks that is likely to get the attention of taxpayers.
It also highlights the issue of misdirecting of faxes, which is the kind of problem that data controllers should be on top of.
"This fine also proves that ICO has the guts to take regulatory action that is bound to be unpopular in some quarters," says Room.
The fining of A4e highlights the common problem of laptops being stolen that contain unencrypted personal details.
"This fine tells organisations that they will face financial penalties for the acts of criminals, and that they need to ensure that their risk assessments cover malevolent and opportunistic threats as well as the threats caused by mishaps and accidents," says Room.
Both cases demonstrate that no organisation is immune from tough regulatory action for breach of the Data Protection Act, he says, and that theft and misdirected communications are "business as usual" problems for all organisations.
Macnair says the technology is there to prevent information from being stored in unencrypted format and to tightly control the faxing, sending and printing of confidential information.
"Let's hope that the ICO's action encourages other organisations to urgently review their policies and procedures," he says.
Where the buck stops
Mark Fullbrook, UK and Ireland director at security firm Cyber-Ark says the onus is on organisations to put in place systems to provide a secure environment in which to share data.
"The first fines should hopefully serve as a wake-up call for all those who have ignored this ticking time-bomb for so long. The products are out there, so organisations need to get wise or risk the wrath of an ICO eager to flex its muscles," he says.
According to Room, the fines represent a "coming of age" for the Information Commissioner's Office.
"For so long ICO has been the weak man of Europe as far as privacy regulation is concerned. Through these fines ICO now joins the ranks of one of the continent's toughest regulators," he says
Room says the ICO had to fine well below the maximum allowed so that he has enough "ammunition" for the worse cases that are bound to follow.
"What we now know is that it will be an exceptionally serious breach that will command the maximum fine," he says.