The report from the committee says that breaking data protection laws can be extremely profitable and the impact of the crime can be severe. It also raises concerns that fines provide an inadequate deterrent when the financial rewards for illegal behavior are so great.
Sir Alan Beith, the chair of the committee, said that using deception to obtain personal information – sometimes known as blagging – or selling it on without permission are serious offenses that can cause great harm. Fines, he explained, are used to punish breaches of data protection laws, but they provide little deterrent when the financial gain exceeds the penalty.
“Magistrates and judges need to be able to hand out custodial sentences when serious misuses of personal information come to light. Parliament has provided that power, but Ministers have not yet brought it into force – they must do so”, he said.
The MPs warn in their report that potential misuses of personal data are also not being fully investigated, because the Information Commissioner's Office (ICO) does not have the power to compel private sector organizations to undergo information audits. If the ICO had been able to compel audits of insurance companies and personal injury lawyers the issues around referral fees might have been identified and tackled sooner.
Sir Alan Beith added: "The Information Commissioner's lack of inspection power is limiting his ability to identify problems or investigate potential data abuses. Ministers must examine how to enable the [ICO] to investigate properly without increasing the regulatory burden on business or the public sector."
Commenting on the report, Nick Lowe, vice president of sales with Cyber-Ark, said that he agrees with the Justice Select Committee that there must be tougher personal data abuse laws.
“The misuse of privileged access to sensitive information is undeniably widespread and, with reports revealing that even bodies such as the police force have misused their powers, it is completely justifiable for there to be concern about the way that such issues are dealt with in the eyes of the law,” he said.
“While financial penalties can be a useful tool, at present they do not reflect the severity of the issue at hand. Without the ability to hand out significant fines that outweigh the often lucrative rewards of such offenses, there is little to put people off committing these crimes in terms of punishment. For those incidents that violate the most personal of information, stronger penalties must be brought in – and it will be interesting to see if this goes as far as jail time”, he added.
Over at Informatica, Charles Race, the firm's vice president for Northern Europe, said that the data explosion is still trickling into all corners of society, meaning it is no wonder that with more and more information available at the touch of a button that abuses arise.
“The fact that nurses, doctors and telesales representatives can profit from the ability to access personal information needs to be addressed. But, given the potential value of selling personal data in today’s world, the penalty per breach will fall way short of acting as a deterrent”, he said.
“Rather than relying on external deterrents, organizations can bypass this vulnerability altogether by implementing more sophisticated tools to take total control over their valuable data assets. Technologies like data masking put the control back in the hands of businesses by allowing them to flexibly establish parameters that protect against data breaches in the first place”, he added.
“Consequently, organizations are also able to prevent against receiving hefty fines as a result of breaches. By returning to the root of the problem, organizations can maintain rich views of their customers, while armoring themselves against unauthorized individuals looking to profit illicitly from their customer’s valuable data.”