Companies face £500k fines for data breaches

Companies face £500k fines for data breaches

Summary: The maximum fine for serious losses of customer data increases a hundredfold as new powers at the Information Commissioner's Office come into effect

TOPICS: Security

Businesses now face fines of up to half-a-million pounds if they breach data protection laws, after new powers for the Information Commissioner's Office came into effect on Tuesday.

The Ministry of Justice, which provides the budget for the Information Commissioner's Office (ICO), gave a green light for the maximum £500,000 fine at the beginning of the year. Justice minister Michael Wills laid a statutory instrument before parliament in January, setting the level of the fine. It became law on 6 April by default and replaces the previous maximum fine of £5,000.

The data watchdog will now be able to issue heftier fines against businesses and other organisations that suffer serious breaches exposing their clients' personal information.

"When things go wrong, a security breach can cause real harm and great distress to thousands of people," said information commissioner Christopher Graham when the new powers were introduced in January. "These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act."

The tougher sanctions follow a number of serious breaches. In a recent example, Lancashire County Council was criticised by the ICO in January after leaving a number of social work case files in a filing cabinet that was sold secondhand to a member of the public. In addition, the watchdog said in November it was considering prosecuting several T-Mobile employees accused of selling millions of customer records to rival mobile service providers.

The new powers for the ICO are "a move in the right direction", according to Andy Buss, a service director for analyst firm Freeform Dynamics.

"The powers are needed to help cut out the culture of sloppiness and boost data protection," said Buss.

However, Buss said that to be truly effective, data loss fines needed to work in tandem with data breach notification laws. There is no compulsion under UK law to disclose data breaches.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • In David Scott’s words, everyone needs to be a mini-Security Officer in the modern organization today. I think Mr. Scott is right: Most individuals and organizations enjoy Security largely as a matter of luck. Anyone else here reading I.T. WARS? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google IT WARS – check out a couple links down and read the interview with the author David Scott at Boston’s Business Forum. (Full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium). For some free insight, check out his blog, “The Business-Technology Weave” – you can Google to it, or search on the site IT Knowledge Exchange which hosts it. Great stuff.
  • slt
    fares love
  • fares
    fares love
  • ah
    fares love
  • However over a year after being given these powers, the ICO has only fined 4 organizations for data breaches. That's less than 1% of the cases being penalized. If they started really cracking down on data breach incidents then perhaps companies would start taking data protecting seriously, by enforcing the use of laptop locks and other preventative measures.
    Which? calls for tougher penalties on data breaches, do you guys agree?