Tougher penalties to stop data breaches?

We all know the statistics; the number of identity fraud victims is growing year-on-year and we all need to be responsible when looking after our personal information.

But what happened when personal information is lost, leaked or stolen and it is outside our direct control? Who do we look to blame?

In the UK, the Information Commissioner’s Office (ICO) has said the number of incidents of loss or theft of personal data has risen to an ‘unacceptable’ level in the past year. The ICO reported 434 separate incidences of data loss in the past 12 months, a 57 per cent increase year-on-year.

Deputy Information Commissioner, David Smith, said: “Unacceptable amounts of data are being stolen, lost in transit or mislaid by staff. Far too much personal information is still being unnecessarily downloaded from secure servers on to unencrypted laptops, USB sticks, and other portable media.”

In order to do something about this the Ministry of Justice has proposed a maximum fine of £500,000 for a breach of the Data Protection Act from April 2010. It is hoped the fine would reflect the importance the UK government is placing on safeguarding personal data.

CPP’s own consumer research into the issue is interesting. One in five employees don’t trust their own employers to protect their information at work and less than a third is satisfied with their own company’s security procedures. Shockingly, a quarter of employers admit to taking personal information out of the office, leaving personal information on their desks (19%), storing sensitive information on USB sticks (10%) and one in ten fail to shred employee personal information.

Most telling, and in line with the Government’s actions,  four in 10 employees want organisations to be fined for infringing on personal data protection. However, a quarter would go as far as having prison sentences for those who repeatedly put them at risk.

So, three questions arise here. Firstly is the scale of a the ICO fine enough to make the protection of customer data an executive issue – much like health and safety is today. And is the fine proportional to the damage inflicted on those who have their personal information misused for fraud? The answer to both these is probably not.

Finally, what is the definition of ‘recklessly participate in the loss of private information’ that would trigger civil penalties against organisations? Is it employees accidentally leaving laptops in taxis or on public transport, hackers accessing confidential files, sensitive waste left insecure, unencrypted hard drives and inadequate firewalls, or employees illegally selling customer data?

One thing is certain. 2010 will see more breaches of customer data putting more people at risk of identity fraud until the maximum civil penalty makes organisations wake up and take data security more seriously.