RSS Alerts

Share

More services

Related Links

Related Stories

  • ICO to make data protection compliance easier
    The Information Commissioner’s Office (ICO) has released a new guide on data protection containing practical advice on data protection compliance. New Information Commissioner Christopher Graham also talked to Infosecurity on the challenges facing ICO.
  • ICO seeks to place a value on privacy protection
    The Information Commissioner's Office (ICO) has appointed Watson Hall and John Leach Information Security (JLIS) to undertake a three-month research project with the aim of producing a comprehensive business case for investing in proactive privacy protection.
  • ISACA backs power increase for Information Commissioner
    ISACA, the not-for-profit organisation that seeks to encourage best practice in the IT security industry, has given the `thumbs up' to plans to significantly increase the powers of the Information Commissioner's Office (ICO) later this year.
  • ICO asks UK to criminalise severe data breaches
    The UK information commissioner’s office (ICO) has asked the government to make serious breaches of the Data Protection Act a criminal offence, rather than attracting fines as at present.
  • PCI update: Your guide to Version 2.0
    The PCI Security Standards Council released the latest version of its standards in October 2010. Stephen Pritchard looks at how businesses can bring their operations in line with the new requirements

Top 5 Stories

News

New ICO penalties change the data security playing field

24 March 2010

As Infosecurity readers may be aware, on April 6, the ballgame for data security in the UK changes because, as from that date, the Information Commissioners' Office (ICO) has the power to fine organisations up to 500,000 pounds - up from 5,000 pounds previously - for serious data leaks or losses.

Imperva says that many organisations need to improve their security game in the light of the 100-fold increase in penalties due next month.

And, the data security firm says, the ICO's guidance notes on its new penalties for breaking the provisions of the Data Protection Act are very revealing.

Amichai Shulman, Imperva's chief technology officer, notes that the guidance states that penalties will be incurred where the "data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress.

"The crucial wording in the guidance notes is that `the data controller must have known - or ought to have known - that there was a risk that a contravention would occur and ought to have known that there was a risk that a contravention would occur'", he said.

"The problem is the emphasis on being honest upon discovery of a breach which could actually encourage organisations to have lax protection policies and robust incident procedural policies. Penalties may be necessary but governments should try to be constructive side and focus regulations on the protection side rather than on the disclosure side", he added.

Shulman draws parallels between the enforcement of the Data Protection Act and that of the Payment Card Industry Data Security Standards (PCI DSS) imposed on organisations that accept card transactions from their customers.

"PCI DSS takes the pragmatic approach of defining exactly what has to be done and effectively giving the IT manager a blueprint for their data security plans", he explained.

Shulman went on to say that PCI DSS is not a perfect prescriptive solution because, as hackers and cybercriminals develop new security attack methodologies, the rules need modifying to keep up with real-world events.

"This is why the PCI Security Standards Council has outlined plans to create version 2.0 of its standards later on this year", he said.

"The UK regulators need to take heed of this approach and move from a penalty-driven culture to one that involves a much clearer definition of what organisations must do to meet their requirements under the DPA", he added.

Further analysis

The dramatically increased penalties from the ICO was the topic under discussion at an Infosecurity webinar - sponsored by Absolute Software - last week, at which presenters gave their real- world observations on the worries that the new penalties have created.

Fran Howarth, a senior security analyst with Bloor Research, explained how new generation of threats that effect organisations' end point security, and how network perimeters are changing, making the task of IT resource protection even more difficult than previously thought.

Alan Boardman, a data security officer with Lancashire Care NHS Foundation Trust, meanwhile, detailed how his trust has successfully deployed Absolute Software's Computrace technology for 4,000 IT users across more than 150 sites.

You can view a recording of this insightful webinar here...


 

This article is featured in:
Compliance and Policy  • Data Loss

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012