The Information Commissioner’s Office in the UK, thanks to new powers that came into force last week, can now impose a fine of up to £500,000 on organizations that recklessly lose data.
The three words, ‘of up to’ are significant here and we really need to see what criteria will be adopted to quantify a ‘reckless loss’ but it is a clear sign (finally, some may say) that the authorities-that-be have realized how serious a problem data loss and data leakage has become.
This is a move in the right direction and the threat of a hefty fine and not a miserly slap on the wrist may be exactly what the industry needs. There have been too many cases of data breaches over the past year or so and now it’s time to get tough.
In his recent series on security, Emmanuel Carabott makes a convincing argument that companies can ill-afford not to invest in security. I would add that a hefty fine dangling over the CIO’s and CEO’s head makes the decision a tad easier for them.
However, these fines will only be effective and a deterrent if the authorities have the willpower (they have the law behind them now) to use their new powers, equitably I should add.
Enforcement is key. IT administrators can write security policies all day long but if they don’t enforce them, they are worth less than the paper they wrote them on. The same applies to the new fines. Paying lip service is one thing but identifying the culprits and punishing them is another matter. Only when they start giving fines will people listen. And when people start to listen, they will (usually) do something about it.
Too many companies are of the ‘it won’t happen to me’ kind.
Once that changes to ‘it won’t happen to me, but I can’t risk a crippling fine’, I can see more companies doing their utmost to protect their data.
So long as the watchdog bites and does not just growl!