Companies face £500k fines for data breaches

Summary:The maximum fine for serious losses of customer data increases a hundredfold as new powers at the Information Commissioner's Office come into effect

Businesses now face fines of up to half-a-million pounds if they breach data protection laws, after new powers for the Information Commissioner's Office came into effect on Tuesday.

The Ministry of Justice, which provides the budget for the Information Commissioner's Office (ICO), gave a green light for the maximum £500,000 fine at the beginning of the year. Justice minister Michael Wills laid a statutory instrument before parliament in January, setting the level of the fine. It became law on 6 April by default and replaces the previous maximum fine of £5,000.

The data watchdog will now be able to issue heftier fines against businesses and other organisations that suffer serious breaches exposing their clients' personal information.

"When things go wrong, a security breach can cause real harm and great distress to thousands of people," said information commissioner Christopher Graham when the new powers were introduced in January. "These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act."

The tougher sanctions follow a number of serious breaches. In a recent example, Lancashire County Council was criticised by the ICO in January after leaving a number of social work case files in a filing cabinet that was sold secondhand to a member of the public. In addition, the watchdog said in November it was considering prosecuting several T-Mobile employees accused of selling millions of customer records to rival mobile service providers.

The new powers for the ICO are "a move in the right direction", according to Andy Buss, a service director for analyst firm Freeform Dynamics.

"The powers are needed to help cut out the culture of sloppiness and boost data protection," said Buss.

However, Buss said that to be truly effective, data loss fines needed to work in tandem with data breach notification laws. There is no compulsion under UK law to disclose data breaches.

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.