UK data security law seemingly took a couple of backwards steps this week, with Parliament and the Information Commissioner showing a preference for the £1000 fine for security breaches.Today ICO
UK data security law seemingly took a couple of backwards steps this week, with Parliament and the Information Commissioner showing a preference for the £1000 fine for security breaches.
Today ICO published news that it had fined the founder of now-defunct law firm ACS Law a mere £1000 for a very serious security breach that exposed information on a database of alleged copyright infringers to full scrutiny on the 'net. This included highly sensitive information. This notorious example of shocking data failure was described by ICO in the following terms:
"The ICO’s investigation found serious flaws in ACS Law’s IT security system. Mr Crossley did not seek professional advice when setting up and developing the IT system which did not include basic elements such as a firewall and access control. In addition ACS Law’s web-hosting package was only intended for domestic use. Mr Crossley had received no assurances from the web-host that information would be kept secure. While the firm should have been aware of their obligations under the Data Protection Act, they continued to act negligently and failed to ensure that appropriate technical and organisational measures were in place to keep personal information secure."
So, what kept the fine so low, when public authorities have been fined tens-of-thousands-of-£pounds for less serious breaches? Answer: Mr Crossley's law firm went bust. Had it not done so, ICO would have fined £200,000!
The other £1000 fine development is contained in the new Privacy and Electronic Communications Regulations, which have been amended to reflect the changes introduced in late 2009 by the Citizens Rights Directive. As well as introducing the new Cookie rules, the new PEC Regs bring in the mandatory breach disclosure regime for the e-comms sector. New Reg 5.C says that if telcos and ISPs fail to comply with their disclosure obligations, ICO can fine them £1000, which is reduced to £800 for early settlement.
£1000 doesn't seem much of a deterrent, but the law makers will argue that its not the quantum that matters, its the stigma of being fined. Whether that's true or not remains to be seen, but at the moment some data controllers will be thinking that UK law has gone a little soft. However, telcos and ISPs should remember that the £1000 breach disclosure fine is additional to the £500,000 data breach fine that was introduced last year.
Stewart Room
Today ICO published news that it had fined the founder of now-defunct law firm ACS Law a mere £1000 for a very serious security breach that exposed information on a database of alleged copyright infringers to full scrutiny on the 'net. This included highly sensitive information. This notorious example of shocking data failure was described by ICO in the following terms:
"The ICO’s investigation found serious flaws in ACS Law’s IT security system. Mr Crossley did not seek professional advice when setting up and developing the IT system which did not include basic elements such as a firewall and access control. In addition ACS Law’s web-hosting package was only intended for domestic use. Mr Crossley had received no assurances from the web-host that information would be kept secure. While the firm should have been aware of their obligations under the Data Protection Act, they continued to act negligently and failed to ensure that appropriate technical and organisational measures were in place to keep personal information secure."
So, what kept the fine so low, when public authorities have been fined tens-of-thousands-of-£pounds for less serious breaches? Answer: Mr Crossley's law firm went bust. Had it not done so, ICO would have fined £200,000!
The other £1000 fine development is contained in the new Privacy and Electronic Communications Regulations, which have been amended to reflect the changes introduced in late 2009 by the Citizens Rights Directive. As well as introducing the new Cookie rules, the new PEC Regs bring in the mandatory breach disclosure regime for the e-comms sector. New Reg 5.C says that if telcos and ISPs fail to comply with their disclosure obligations, ICO can fine them £1000, which is reduced to £800 for early settlement.
£1000 doesn't seem much of a deterrent, but the law makers will argue that its not the quantum that matters, its the stigma of being fined. Whether that's true or not remains to be seen, but at the moment some data controllers will be thinking that UK law has gone a little soft. However, telcos and ISPs should remember that the £1000 breach disclosure fine is additional to the £500,000 data breach fine that was introduced last year.
Stewart Room