A considerable percentage of security professionals in the UK are currently unaware of the significant monetary penalty notices that can be issued by the Information Commissioner’s Office (ICO) following a serious breach of the Data Protection Act, a recent survey has revealed. Over 500 security professionals within a range of industries, including education, healthcare and Government responded to the research conducted by iStorage, the leading specialist in portable storage and digital encryption.
The survey that looked at methods of storing data asked respondents what they believed to be the maximum fine that a business or Government body could be liable to pay for serious breaches of the Data Protection Act. Whilst the good news is that over 60% understood the implications, over 30% believed the fine to be significantly lower.
> See also: 'Vague' data protection act blights fraud detection, say insurers
In 2010 rules were enforced by the ICO that allow a monetary penalty notice of up to £500,000 to be imposed if it can be proved that a data controller has seriously contravened the Data Protection Act. These penalties were introduced following large security breaches and aim to discourage others from making the same data protection mistakes.
'It is important that everybody dealing with sensitive data in the workplace understands the potential financial and reputational repercussions if it can be proved that the data they are handling is not protected properly. However these survey results show that this simply is not the case,' states John Michael, CEO of iStorage. 'In the broadest sense of the term, a data controller is anybody that uses a laptop, memory stick or similar device to store sensitive data.'
According to the ICO1, using appropriate encryption is a simple and effective means to protect personal data, and one which they advise all organisations to take if the loss of the data could cause substantial damage and distress. The ICO states that the time and cost of proper encryption is put into sharp perspective by a quick glance over the penalties issued in recent cases where encryption wasn’t used.
> See also: UK businesses cannot ignore the EU's data protection reforms
Recent reported high profile cases that have been issued with a monetary penalty notice due to a data breach include North East Lincolnshire Council, which was fined £80,000. This followed the loss of an unencrypted memory device containing personal data and sensitive personal data relating to 286 children. NHS Surrey also suffered a monetary penalty of £200,000 following the discovery of sensitive personal data belonging to thousands of patients on unencrypted hard drives sold on an online auction site.
John Michael adds, 'Since encryption standards are always evolving, it is recommended that data controllers ensure any solution that is implemented meets the current standard such as the recommended FIPS 140-2. The cloud should only be used to store encrypted, non-sensitive information, with local devices utilised to store and transport business-critical information.'