Data Protection Commissioner washes hands of Powergen

The Data Protection Commissioner (DPC) has no power to take action against Powergen over the security breach that left 7,000 customer debit card details unsecured on its web server in July.

The Data Protection Commissioner (DPC) has no power to take action against Powergen over the security breach that left 7,000 customer debit card details unsecured on its web server in July.

Powergen breached the principles of the Data Protection Act 1998 when it left the information in an insecure area of the web site, according to assistant data protection commissioner, Phil Jones. But he explained that the DPC has no power to take punitive action when data protection principles are breached, and the best it can do is issue formal enforcement notices. However, no such notice will be issued to Powergen, as the DPC says there is no conclusive evidence that there are any current security issues with the company's site and it is not interested in issues that are now past. Phil Jones, assistant commissioner at the DPC, explained: "Parliament didn't give us enforcement powers. We don't have a 'rapping over the knuckles' power. Only a tiny minority of breaches of principle end up in enforcement notices." Jones added that enforcement notices were difficult to obtain. He said: "The process is complex and time-consuming, and the enforcement notices can be appealed. Virtually everyone we issue one against appeals." IT worker John Chamberlain informed silicon.com of the security breach in July after finding card details and personal information belonging to other Powergen customers when he went to pay his own bill online. Powergen initially accused Chamberlain of hacking its website, although the company later retracted that claim admitting the information had been outside the security gate due to a technical error. Chamberlain expressed his disappointment with the DPC's decision. He told silicon.com: "They've met with Powergen and accepted what it said without consulting me. I was not contacted by the DPC during the investigation." The leaked DPC document also states that the threat of adverse publicity in the press is more effective than any action it might take in preventing companies making security errors. Chamberlain added: "It sounds to me like they're saying the press will do a better job than the DPC as a deterrent. That means only large companies will be affected. But what about smaller companies that the press aren't interested in?"