The news of two information security breaches resulting in considerable fines are all over today’s headlines.
Until now the threat of fines of up to £500,000 have been nothing but hearsay but the precedent has now been set. Both public and private organisations need to take stock and control of their responsibilities relating to the data they hold – get it wrong and you do substantial harm to individuals and the reputation of your business.
Hertfordshire County Council faxed details of a child sex abuse case to a member of the public is to be fined £100,000 for breaching the Data Protection Act.
Sheffield-based A4e was fined £60,000 for losing an unencrypted laptop with the details of thousands of people.
The commissioner said these fines are the first he has delivered and would “send a strong message” to those handling data.
Commissioner Christopher Graham was granted the authority to serve financial penalties for data protection breaches in April of this year.
The A4e data breach also occurred in June, after the company – a private sector company which provides information on employment and starting a business – issued an unencrypted laptop to an employee so they could work at home.
The computer contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester. It was later stolen from the employee’s house and an unsuccessful attempt to access the data was made shortly afterwards.
A4e reported the incident to the ICO and the company subsequently notified the people whose data could have been accessed.
The commissioner ruled that A4e did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop, despite knowing the amount and type of data that would be on it.
These cases highlight the critical importance of the proper policies, procedures, instructions and above all else controls in relation to information and data. Organisations that utilise third parties (like UKFast) don’t transfer their liabilities relating to ‘their’ data and the Data Protection Act in the eyes of the law. However, partnering with a hosting provider who is ISO27001 certified satisfies organisations ‘duty of care’ responsibilities that the correct management and control of data is taking place – as verified by government approved, independent third parties.
To use a provider who does not employ such a certified system, to guarantee the protection of client data is now guaranteed to cost you up to £500,000 in the event of a breach.