Private companies can expect more ICO fines, regulator warns

A regulator warned private companies who do not adequately protect data will face ICO fines up to £500,000.

According to a senior spokesman for the Information Commissioner’s Office (ICO), companies will face harsher ICO fines in the future if they fail to protect personal data.

David Evans, ICO group manager for business and industry, admitted “companies are not taking it [data protection] very seriously,” and warned he planned to make an example of any future culprits in the private sector by imposing a monetary fine of up to £500,000.

Speaking at the European Community Meeting of the PCI Security Standards Council in London this week, Evans conceded that so far, the ICO has mostly avoided using its powers to impose monetary penalties. Just a few local councils have so far received ICO fines.

You have to invite us in, but if you do and we find something wrong, we will not fine you.

David Evans

But Evans said the security breach at online cosmetics retailer Lush last year had been “a wake-up call” for the ICO. In that case, the company had failed to implement basic security measures, and in turn, its website was subjected to a malicious intrusion, potentially compromising approximately 5,000 customer credit card records.

However, following the breach, Lush admitted the mistake, communicated openly with customers and added strong security measures, including putting its card processing out to a PCI DSS-compliant payment service provider. As a result of those actions, the company avoided a fine and was merely obliged to make a public admission of guilt and an undertaking to do better in the future.

But, Evans said many companies still do not get the message about the importance of data protection, and that any “similar incident [to what happened at Lush] will attract a fine in the future.”

He advised security professionals to become more agile in the way they work, and to react more quickly to new challenges, such as the sudden widespread use of the Apple iPad, among senior management and marketing departments.

On a more conciliatory note, Evans reminded companies that the ICO is prepared to conduct a free data protection audit for companies to help them identify areas of weakness that could lead to a breach.

“The audits will help you to do things better,” Evans said. “You have to invite us in, but if you do and we find something wrong, we will not fine you. And remember, even though your PCI DSS compliance might be fine, there may be a hole somewhere else in your systems that could leak personal data.”

In July, the ICO reported it approached 100 organisations last year, offering them a free audit, but only 19% of private firms took up the offer.

Taking questions at the end of his talk, Evans said the ICO’s use of fines will be used where they will make the biggest public impact. “If we use fines sparingly, we will attract more attention,” he said.

Read more on Regulatory compliance and standard requirements