BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Third parties should face the fine when responsible for data losses

From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Wed, 22 Aug 2012 20:38:27 -0400
http://www.scmagazineuk.com/third-parties-should-face-the-fine-when-responsible-for-data-losses/article/254709/

Third parties whose actions lead to data breaches should bear the
brunt of ICO fines.

Speaking to SC Magazine, Jonathan Armstrong, lawyer at Duane Morris
LLP, said that the impact of monetary fines from the Information
Commissioner's Office (ICO) should be passed on to those directly
responsible for the breaches.

He said: “There ought to be more of a debate on fines to NHS trusts,
as a lot come out of patient care – we should consider a fine against
those managers responsible and fines should be passed on to the guilty
parties.

 “In some of the NHS fines, some trusts say that they can get the
money back from the contractor, but this comes down to contract
management. Principle seven of the Data Protection Act says that
‘appropriate technical and organisational measures shall be taken
against unauthorised or unlawful processing of personal data and
against accidental loss or destruction of, or damage to, personal
data'. This should apply to everyone – contractors should have a
contractual requirement too.

“If a third party loses my data then they should suffer the
consequences as well.”

In recent news, St George's Healthcare NHS Trust in London was fined
£60,000 after sensitive medical details were sent to the wrong address
by a member of staff; Central London Community Healthcare NHS Trust
was fined £90,000 after patient lists were faxed to the wrong
recipient; while the largest monetary penalty to date of £325,000 was
issued to Brighton and Sussex University Hospitals NHS Trust after
hard drives containing sensitive patient information were sold by a
third party.

An ICO spokesperson said: “The Data Protection Act confirms that it is
the data controller that must ensure that any processing of personal
data for which they are responsible complies with the act. Failure to
do so risks enforcement action, even prosecution, and compensation
claims from individuals.

“Data controllers remain responsible for ensuring their processing
complies with the act, whether they use the data in-house or employ a
separate contractor as a data processor.

“Making individuals or other contractors responsible for data breaches
would require the law to be changed, which would be a matter for the
government to consider.”

Responding to the news that the ICO had served 68 warning notices for
data security lapses in the first half of 2012, in comparison with 46
at this point last year, Ross Brewer, vice president and managing
director for international markets at LogRhythm, said that it was
about time the ICO took a much tougher approach when dealing with data
breaches, given the somewhat lacklustre approach of previous years.

He said: “In today's information age, nominal fines and letter-writing
initiatives to warn about data handling simply do not cut it – hence
the almost constant stream of data incidents still hitting headlines.

“The ICO seems to be taking data security more seriously and
organisations will have no choice but to take heed if they wish to
avoid the financial and reputational repercussions of a breach.

“With the growing number of fines that the ICO is dishing out, it will
be much easier for the public to identify those organisations that are
being irresponsible with their data – and as an additional incentive,
the increased penalty per organisation ensures that the impact on the
bottom line will certainly be felt.”
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.
Previous By Date Next
Previous By Thread Next

Current thread: