(ISC)² warns new big fines are finally bringing data security to boards’ attentions

Imminent fines are bringing data security issues to boards’ attentions. Those are the comments of John Colley, EMEA managing director of (ISC)². (ISC)² is a not-for-profit organisation that educates on information security issues. Colley claims that the forthcoming introduction in the UK of fines of £500,000 for serious data breaches is making businesses sit up and take their data protection obligations seriously. He advocates every information security person ensuring that they have compliant policies and documentation in place before the law becomes stricter.

Under changes to UK data protection law expected to take place in April this year, the Information Commissioner’s Office – the regulator in charge of enforcing data protection law in the UK – will be able to fine organisations up to £500,000 if they discover a serious breach of the Data Protection Act. The breach must be of a kind likely to cause substantial damage or distress, and either the organisation must have deliberately breached the Act or it should have known of the risk and the likely substantial damage or distress but still failed to take reasonable steps to prevent it. The ICO has issued guidance as to how high it would make the penalties. The ICO would consider a number of factors, including:

• How serious the breach was.
• How likely damage was.
• Whether the breach was deliberate or negligent.
• What steps the organisation had taken to safeguard the data.
• The organisation’s resources and size.