Industry prepares for new ICO penalties starting next month

The new rules - from the Information Commissioners Office (ICO) - kick in on the 6th of April and, says Richard Turner, chief executive of Clearswift, the most significant change is the level of financial penalty which is set to rise to a maximum of £500 000 (from £5 000), for those companies who do not comply with the Act.

Turner says that his firm has been helping companies protect their data for almost two decades and has developed some of the most sophisticated content inspection technology in the industry to help companies to protect important or confidential data.

"Organisations can no longer ignore the seriousness of corporate data breaches and not complying with the Data Protection Act. On 6th April 2010, the Information Commissioner is upping the financial penalties to act as a deterrent for companies who flout these rules", he said.

"The loss of personal data or any data that organisations deem invaluable is unacceptable mainly because it is all preventable", he added.

According to Turner, the term "accidental" is often used by organisations to highlight why things have gone wrong - but this just means that the data security policy was not defined, not shared or not enforced.

Companies, he argues, can avoid attempted data breaches with web and email security solutions which are automated, ensure consistent management and monitoring of communication flows, as well as an ability to report on violations with roles-based access and audit logs which comply with process requirements.

"At Clearswift we firmly believe that it is time for the IT security industry to take more active steps to lead the education of data users on acceptable use and enforcing the standards that we all require", he said.

"This does not mean stopping and blocking businesses from functioning – it means understanding how an organisations works with and needs information, then ensuring that it can be accessed and protected in equal measures", he added.

Stewart Room, a partner at Field Fisher Waterhouse LLP, is also offering organisations some cogent advice to stay out of the ICO's bad books.

He says that this an area where organisations inherently fail to plan as, according to results of an online poll conducted by Infosecurity Europe - where he will be giving a keynote - a third of organisations admitted if they experienced a security breach tomorrow they do not have a system in place to adequately deal with the incident.

Stewart's advice is that as far as data security and handling is concerned - and applies to any area where there is a regulatory framework - organisations need to focus on two elements: the system and the operations.

The system, he says, sets out the organisation's position on security through documented rules, policies and procedures; and the operations detail how the organisation implements the system in its day to day activities.

The premise is that if the system is legally compliant and covers all the benchmarks within the legislation then the law says that operational failures can be excused.

"That said, if you experience operational failure and a breach occurs, the law is then interested in whether the system in place covers containment, damage limitation and recovery", he said.

In Stewart's experience it's the system, especially this latter part, that has historically been ignored and it is on this point that many organisations face prosecution.

"Most organisations unfortunately dont have good systems for actually managing the problem. If a breach occurs, the law is really concerned with your behaviour at that point in time. You can't unravel the past and pretend the breach didn't occur, it's what you do from that point on that will determine your culpability", he said.

"The law is about changing behaviours, so if you adopt an honourable stance from the outset, doing the right thing at the right time, then your legal team are in a very strong position to defend you to the regulator arguing that you're not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment", he added.

Room argues that organisations need to adopt the right behavioural controls, preferably before a breach, so that if the worst should happen they know what the right thing to do is.

In his experience, a data breach requires a multi-disciplinary response that may include some or all of the following disciplines; a security specialist, IT resources, a PR agency, legal advice, credit reporting services, credit file freezes etc., and an organisation should reflect on these requirements so that, in a crisis situation, it isn't left floundering.

Room is participating in a panel discussion as part of Infosecurity Europe’s keynote theatre entitled:  ‘Compliance – how to fefend yourself and stay out of court.'

What’s Hot on Infosecurity Magazine?