ICO levies first data-breach fines

ICO levies first data-breach fines

Summary: The Information Commissioner's Office has imposed fines on Hertfordshire County Council and employment services company A4e for data breaches

TOPICS: Security

The Information Commissioner's Office has used its power to impose data-breach fines for the first time, handing out penalties of thousands of pounds to a council and an employment agency.

Hertfordshire County Council has been given a penalty of £100,000 for faxing sensitive information to the wrong recipients, while A4e must pay £60,000 for losing an unencrypted laptop, the privacy watchdog said on Wednesday.

"These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business," information commissioner Christopher Graham said in a statement.

Read this

ACS:Law breach prompts ICO warning over data security

The ICO has highlighted companies' responsibilities in ensuring that individuals' private details are adequately secured, in the light of the recent ACS:Law data breach

Read more+

These were the first two organisations to be fined since the powers of the Information Commissioner's Office (ICO) were strengthened in April to fine organisations up to £500,000. One recent high-profile case in which the ICO said it could not levy a fine was Google's unsolicited harvesting of data sent over unsecured Wi-Fi.

Hertfordshire County Council committed two serious breaches of the Data Protection Act, according to the ICO. In the first, which happened in June, an employee faxed information relating to a child sex abuse court case to a member of the public by mistake.

In the same month, another member of the same unit faxed information on care proceedings for three children to a barristers' chambers unconnected with the case. The data included the previous convictions of two people and domestic violence records, and was meant for Watford County Court, according to the ICO.

"It is difficult to imagine information more sensitive than that relating to a child sex abuse case. I am concerned at this breach — not least because the local authority allowed it to happen twice within two weeks," Graham said.

Hertfordshire County Council told ZDNet UK on Wednesday that it was "unlikely to appeal" the ICO fine. "We are sorry that these mistakes happened, and have put processes in place to try to prevent any recurrence," the council said in a statement. "We accept the findings of the commissioner."

The council now has new procedures, such as more rigorous double-checking of numbers before sending faxes, a spokeswoman told ZDNet UK. She added that the breaches were the result of misdialling.

The second penalty, to A4e, was imposed because the employment services company lost an unencrypted laptop in June. The laptop, which was stolen from an A4e employee's house, contained the details of 24,000 people who had used legal advice centres in Hull and Leicester. The details included names, addresses, income level, information about alleged criminal activity, and whether an individual had been a victim of violence. An attempt had been made to access the data.

A4e told ZDNet UK that it had voluntarily told the ICO about the data breach and had notified all the individuals affected. The company has also strengthened its security procedures, including making it mandatory for all data to be encrypted to ISO-standard level, a spokeswoman said.

"All portable equipment used by our employees are now fully encrypted and all members of staff handling customer data cannot load data and will access [it] through secure central servers," she said.

The lack of data protection left the information open to access by outsiders, the ICO said.

"The laptop theft... warranted nothing less than a monetary penalty as thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data," Graham said.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • As the ICO finally seems to be toughening up http://bit.ly/gA5jfs it raises questions about how the fines are applied. Whilst it is disappointing that Google could not be fined as the offence occured before the ICO could implement stronger penalties, to hear of local councils receiving large fines is also concerning for the public. A balance surely needs to be met, potentially basing the fine not only on the size of the breach, but also of the organisation at fault. It remains to be seen how much these fines will act as a deterrant.
  • In David Scott’s words, everyone needs to be a mini-Security Officer in the org today. I think he’s right: individuals and orgs enjoy Security largely as a matter of luck. For some free insight, Google to his blog, “The Business-Technology Weave”. Anyone here reading I.T. WARS? I had to read parts of his book as part of my employee orientation at a new job. It talks about a whole new culture as being necessary – an eCulture – for a true understanding of security - most identity/data breaches are due to human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google IT WARS – check out a couple links down and read the interview at Boston’s Business Forum. Available on Amazon. (Full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium). Great stuff.
  • While these fines show that ICO is taking data loss more seriously, recent research suggests that the public favours other measures than just monetary penalties. In a survey of 5000 consumers (http://bit.ly/eL9kTb) it was discovered that 80 percent support a compulsory data loss disclosure law like those found in the US. In addition, 31 percent thought that criminal proceedings would be appropriate. It appears that repeated incidents of data loss have undermined public confidence in organisations' ability to protect sensitive data and led to a general desire for tougher regulation. This lack of confidence is something that must be addressed fast - the public mood is showing that organisations taking a lax approach to data security won't just lose face, they will also lose customers.

    Ross Brewer, VP and MD, international markets, LogRhythm
  • Resorting to punitive measures, such as fines, represents a sad day in the history of information security. Alas, the repeated examples of lax corporate and public sector security awareness and compliance have made it an unfortunate necessity.

    The sizable fines the Information Commissioner’s Office can impose, as demonstrated in these cases, will hopefully deter organisations of all types from falling behind on data security.

    However, if past instances of data loss and theft teach us anything, it is that regulation alone will not solve the problem. Such measures must be aligned with an overall government effort to encourage and build a culture of security best practice and common sense, underpinned by solid technologies that can deliver the level of security required by law and be able to cope with emerging threats and the changing ways in which we work.

    Kurt Johnson, vice president of corporate strategy and development at Courion
  • @ Curion. Well said. A change in culture is required. In any case, most large fines (train companies, local government, and so on) are just passed on to us the consumers. Not really very much disincentive there. There also needs to be some form of personal responsibility accountability developed and enforced.
    The Former Moley
  • Get protection – before it’s too late

    It was announced earlier this month that the ICO would issue its first fine in November. Since then, a number of companies have fallen victim to large fines. A question that springs to mind is whether or not these companies are actually the worst offenders or were just in the wrong place at the wrong time.

    Although the companies mentioned in the article did in fact breach the data protection act and were right to be fined, other firms have been let off with warnings this year for much worse – is this just the ICO flexing its muscles and scaremongering? It seems very convenient that a public and private sector firm were fined at the same time just before the end of the month. Who will be next? It could be anyone and companies, both public and private need to make sure their data is protected.

    Sensitive information is often stored on the hard drives of endpoint systems and on removable media. Organisations need to ensure that this data is persistently protected and one way of doing this is via encryption. The loss of one of those systems or media could expose corporate information, personnel records, government secrets, or intellectual property, producing disastrous effects for organisations. Encryption is transparent and there is no disruption to business operations, performance, or the end user experience.

    When sensitive data on endpoints is secured organisations can focus on other areas. Data needs to be fully protected or the next example made by the ICO could be for the full £500,000.

    Gary Clark, VP EMEA, SafeNet
    Gary Clark-7a781