Bigger ICO fines add to data security pressures
The introduction of more severe penalties by the Information Commissioners Office will change the data security ballgame says Imperva
The introduction of more severe penalties by the Information Commissioner’s Office will change the data security ballgame says Imperva
On 6 April, the ballgame for data security in the UK will change because, as from that date, the Information Commissioners' Office (ICO) has the power to fine organisations up to £500,000 – up from £5,000 pounds previously – for serious data leaks or losses.
According to Amichai Shulman, chief technology officer with data security specialist Imperva, the critical element in this regard is clearly stated in the ICO's guidance on the new penalties for breaking the provisions of the Data Protection Act (DPA).
Onus on being up front
The guidance states that penalties will be incurred where the "data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress".
"The crucial wording in the guidance notes is that ‘the data controller must have known – or ought to have known – that there was a risk that a contravention would occur’," said Shulman.
“The problem is the emphasis on being honest upon discovery of a breach, which could actually encourage organisations to have lax protection policies and robust CYA [cover your assets] policies. Penalties maybe necessary but governments should try to be constructive side and focus regulations on the protection side rather than on the disclosure side."
Shulman drew parallels between the enforcement of the DPA and that of the Payment Card Industry Data Security Standards (PCI DSS) imposed on organisations that accept card transactions from their customers.
“PCI DSS,” he explained, “takes the pragmatic approach of defining exactly what has to be done and effectively giving the IT manager a blueprint for their data security plans."
US data leaks spur PCI adoption
Shulman pointed out that the US state of Ohio adapted PCI and turned it into a state law, known as the ‘Joe the Plumber Law’. The name comes from the 2008 US Presidential elections when Ohio state employees released personal data belonging to a John McCain supporter, euphemistically known as Joe the Plumber.
PCI has a very promising benefit that government regulators should consider seriously. In September 2009, a Ponemon study highlighted that PCI enabled companies to make security a strategic initiative, which led to fewer breaches.
“The survey indicated that while some companies have figured out how to convert PCI standards into an overall security mandate to make their enterprises much safer. That’s the type of behaviour to encourage,” explained Shulman.
Shulman went on to say, PCI DSS is not a perfect prescriptive solution because, as hackers and cybercriminals develop new security attack methodologies, the rules need modifying to keep up with real-world events.
"This is why the PCI Security Standards Council has outlined plans to create version 2.0 of its standards later on this year. The UK regulators need to take heed of this approach and move from a penalty driven culture, to one that involves a much clearer definition of what organisations must do to meet their requirements under the DPA," he said.