BreachExchange mailing list archives
£500,000 data breach fine is too low, say experts
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Sun, 13 Jun 2010 11:03:36 -0400
http://www.computerweekly.com/Articles/2010/06/10/241537/163500000-data-breach-fine-is-too-low-say-experts.htm The £500,000 fine that the Information Commissioner's Office can levy for data breaches is too low to get companies to protect personal information properly, say industry experts. Tony Dyhouse, director of the Digital Systems Knowledge Transfer Network (KTN) said 65% of delegates at a recent KTN meeting believed that the £500,000 penalty was inadequate. Dyhouse was speaking after a meeting in the KTN's series "A fine balance", which deals with digital privacy and security. "Many lawyers at the meeting said their clients could write off the £500,000 as a cost of business. A small to medium company would probably not even be fined as heavily because of the need for proportionality," he said. At that level, the fine was too low to be a disincentive against poor data security for the big companies that are the main collectors of personal data. Dyhouse said he also intended to approach legislators to change section 13 of the Data Protection Act. The section deals with compensation in the event of damage or distress resulting from a data breach. In practice these are restricted to financial damage, said Dyhouse. This meant, in practice, it excluded compensation for reputational damage or worry over losses and costs of repairing breach results, such as time and effort to correct a damaged bank record. "This is contrary to European legislation and the Information Commisioner's Office guidelines," he said. If the changes go through, citizens who suffer non-financial damage as a result of a data breach will be able to claim compensation from the organisation that leaked the information. Dyhouse said the KTN would follow up a suggestion that companies modify their rules for collecting data online as part of a transaction. The idea is to prevent both sides from losing the transaction because the consumer declines to provide personal information that is non-essential to the transaction, such as a birth date to buy a CD. Dyhouse said this would improve online transaction completion rates and reduce consumer frustration. [..] _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- £500,000 data breach fine is too low, say experts Jake Kouns (Jun 13)