Stronger penalties needed for breaking the Data Protection Act

Another security breach makes the case for stronger penalties, sanctions and fines from the Information Commissioner's Office (ICO) against organisations that violate the U.K. Data Protection Act.

The case for much stronger sanctions against organisations that mishandle personal data is growing, following the latest series of security blunders.

Security experts agree that until the Information Commissioner's Office (ICO) is given the power to impose hefty data handling fines on those are breaking the Data Protection Act, companies will continue to treat information with what one expert described as "reckless disregard."

The Criminal Justice and Immigration Act, which was approved by Parliament earlier this year, actually provides the ICO with the powers to impose fines. Until the Ministry of Justice comes up with a tariff of financial penalties, however, the ICO still has to rely purely on enforcement notices to force organisations to mend their ways.

The Ministry of Justice should produce the tariff by the end of this year, but the law will not be retroactive. Therefore any security breaches occurring now will escape fines from the ICO.

That is good news for Royal Bank of Scotland, Natwest and American Express, whose banking data was found on a server auctioned on eBay this week. Those businesses, however, will have the Financial Services Authority to deal with. The FSA fined the Nationwide Building Society £980,000 in February 2007 and Norwich Union Life £1.26m in December 2007 for serious breaches of security, so fines of that order can be expected for current breaches unless the companies can prove they took every measure to protect their data.

In the case of the auctioned server, the machine had been sent to a third-party archiving firm for disposal. The company in question works for a number of financial services companies and had presumably built a reputation for reliability. But in this case, the machine was somehow removed from a secure area, and ended up being sold on eBay.

The day after that revelation, a computer that had belonged to Charnwood Borough Council in Leicestershire – and contained information about local taxpayers -- was also auctioned on eBay. The council issued a statement saying: "We ensure that every disposal of equipment is carried out by a reputable third-party organisation who provide certification for each batch of disposed equipment, stating that drives have been wiped, or are destroyed."

An individual has been arrested in connection with the case, proving that something went wrong along the line, despite what looks like a tight checking process.

The other recent case, where Home Office information about prisoners was lost after a consultant from PA Consulting loaded the data unencrypted on to a USB stick, further underlines the dangers of letting outside organisations near personal data.

However, given the nature of modern business life, in both the private and public sector, where large areas of activity are outsourced, these problems can only get worse.

So what lessons can the rest of us draw from these recent events?

Jeff Brooker, a data security specialist in PricewaterhouseCooper Corp.'s Risk Assurance Services practice, says information needs to extend beyond the borders of its own organisation. "Organisations have spent a lot of time building controls for their own security, but now they need to look at their controls and reliance on third-parties," he says. "But getting good clauses in contracts can be tricky. Getting compliance and reporting into those clauses can be even more difficult."

Brooker says that with any such arrangement, it is vital to review and audit the way third-parties operate.

Alan Calder, chief executive of IT Governance Ltd., a consultancy, agrees: "Most outsourcing focuses on offloading the work or the cost, but there is no connected thought process about the data. The Home Office cared enough to encrypt the data while it was on their premises, but they didn't care enough to go and audit the way in which PA was complying with their data security which hopefully existed in some form of contract obligation."

Calder is also wary of letting any third party dispose of equipment. "Companies should always ensure that PID (personally identifiable data) is destroyed on their premises and not left to a third-party," he says. "You should always get your technicians to remove the disks and break them with a hammer. It's not a difficult job – a bank can arrange to have things destroyed internally under supervision."

PwC's Brooker says most of these events indicate a basic failure of organisations to see their information as a vital asset. "If I ask companies to list their critical assets, I would expect information to appear, but it doesn't," he said. "They don't really understand the value of information, and they don't know who in the organisation is the information owner."

Brooker was closely involved with the Poynter Review, which analysed the loss of two CDs from HMRC last year. That review made far-reaching recommendations for improved information handling in Government, many of which have already been implemented. But as Brooker admits, the process will take a while.

"The Government has done a lot to improve its information security, but security is a lot about process and people, it is not a switch that will change you from 'not great' to 'fantastic' overnight. It takes a long time," he said. "You have to train people, get the right governance in place. And get the leaders of the organisation to show the importance of security, not only in words but also in behaviour."

Calder is much more caustic in his assessment. "Given the systemic absence of care inside a ship like Her Majesty's Government, putting something in place that works is not going to happen in a couple of months," he says. "Organisations need to understand that their responsibilities extend to data when it leaves their premises – and that will take a long time to change."

Both Brooker and Calder say that most companies would benefit from going through accreditation for ISO 27001, and also insisting on it from their suppliers. "27001 is not a silver bullet – it doesn't solve every problem – but it takes organisations from a state of not knowing what to do, to a working understanding and a systematic approach to securing information," Calder says.

Both also agreed that stiffer fines from the Information Commissioner's Office is a vital weapon in battling poor security. "We have been waiting a long time for the ICO to grow some teeth. By introducing fines and a stronger regulatory structure, it will take security on to a different plain," says Brooker.

Calder strongly agrees: "If PA Consulting knew it was going to be hit with a million pound fine for that sort of reckless disregard, it would stop them. We just need the Ministry of Justice to makes its mind up on what fines the ICO will be able to levy – and the bigger they are, the better."

Read more on Privacy and data protection