£500,000 data breach fine is too low, say experts

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.computerweekly.com/Articles/2010/06/10/241537/163500000-data-breach-fine-is-too-low-say-experts.htm

The £500,000 fine that the Information Commissioner's Office can levy
for data breaches is too low to get companies to protect personal
information properly, say industry experts.

Tony Dyhouse, director of the Digital Systems Knowledge Transfer
Network (KTN) said 65% of delegates at a recent KTN meeting believed
that the £500,000 penalty was inadequate.

Dyhouse was speaking after a meeting in the KTN's series "A fine
balance", which deals with digital privacy and security.

"Many lawyers at the meeting said their clients could write off the
£500,000 as a cost of business. A small to medium company would
probably not even be fined as heavily because of the need for
proportionality," he said. At that level, the fine was too low to be a
disincentive against poor data security for the big companies that are
the main collectors of personal data.

Dyhouse said he also intended to approach legislators to change
section 13 of the Data Protection Act. The section deals with
compensation in the event of damage or distress resulting from a data
breach. In practice these are restricted to financial damage, said
Dyhouse.

This meant, in practice, it excluded compensation for reputational
damage or worry over losses and costs of repairing breach results,
such as time and effort to correct a damaged bank record.

"This is contrary to European legislation and the Information
Commisioner's Office guidelines," he said.

If the changes go through, citizens who suffer non-financial damage as
a result of a data breach will be able to claim compensation from the
organisation that leaked the information.

Dyhouse said the KTN would follow up a suggestion that companies
modify their rules for collecting data online as part of a
transaction. The idea is to prevent both sides from losing the
transaction because the consumer declines to provide personal
information that is non-essential to the transaction, such as a birth
date to buy a CD.

Dyhouse said this would improve online transaction completion rates
and reduce consumer frustration.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php