Imperva says that many organisations need to improve their security game in the light of the 100-fold increase in penalties due next month.
And, the data security firm says, the ICO's guidance notes on its new penalties for breaking the provisions of the Data Protection Act are very revealing.
Amichai Shulman, Imperva's chief technology officer, notes that the guidance states that penalties will be incurred where the "data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress.
"The crucial wording in the guidance notes is that `the data controller must have known - or ought to have known - that there was a risk that a contravention would occur and ought to have known that there was a risk that a contravention would occur'", he said.
"The problem is the emphasis on being honest upon discovery of a breach which could actually encourage organisations to have lax protection policies and robust incident procedural policies. Penalties may be necessary but governments should try to be constructive side and focus regulations on the protection side rather than on the disclosure side", he added.
Shulman draws parallels between the enforcement of the Data Protection Act and that of the Payment Card Industry Data Security Standards (PCI DSS) imposed on organisations that accept card transactions from their customers.
"PCI DSS takes the pragmatic approach of defining exactly what has to be done and effectively giving the IT manager a blueprint for their data security plans", he explained.
Shulman went on to say that PCI DSS is not a perfect prescriptive solution because, as hackers and cybercriminals develop new security attack methodologies, the rules need modifying to keep up with real-world events.
"This is why the PCI Security Standards Council has outlined plans to create version 2.0 of its standards later on this year", he said.
"The UK regulators need to take heed of this approach and move from a penalty-driven culture to one that involves a much clearer definition of what organisations must do to meet their requirements under the DPA", he added.
Further analysis
The dramatically increased penalties from the ICO was the topic under discussion at an Infosecurity webinar - sponsored by Absolute Software - last week, at which presenters gave their real- world observations on the worries that the new penalties have created.
Fran Howarth, a senior security analyst with Bloor Research, explained how new generation of threats that effect organisations' end point security, and how network perimeters are changing, making the task of IT resource protection even more difficult than previously thought.
Alan Boardman, a data security officer with Lancashire Care NHS Foundation Trust, meanwhile, detailed how his trust has successfully deployed Absolute Software's Computrace technology for 4,000 IT users across more than 150 sites.
You can view a recording of this insightful webinar here...