For those unfamiliar, the Information Commissioner’s Office (ICO) in the United Kingdom is the independent regulatory office dealing with data protection regulations such as the Data Protection Act.
Like many policy makers, the actual enforcement of policies has been a major stumbling block to their potential effectiveness. Up until recently, the ICO enforcement powers were very limited. However, the ICO has very recently started to issue fines (or “monetary penalties”) for failing to comply with the Data Protection Act.
- A4e was fined £60,000 for losing an unencrypted laptop containing thousands of client details
- Hertfordshire County Council was fined £100,000 for faxing details about a child sex abuse case to the wrong people
At the very least, seeing harsh penalties handed out for data breaches should help increase organization’s focus on protecting sensitive business and customer information. Hopefully that focus will be centered less on what device people are using to access company files and data (such as USB drives, personal email, portable hard drives, smart phones, etc) and more on the underlying risk mitigation need.
“This is part of a wider trend whereby the penalties for, and consequences of, inadequate security measures are increasingly costly and come from different sources – from the payments card industry, to government and private sector contracts, to activist regulators and the public at large,” said Frank Kenney, VP of Global Strategy at Ipswitch File Transfer. “The ICO move has to be seen in the wider context of increased compliance activity.”
Businesses need to take inventory of their own information and understand what confidential files exist and where they are located. Access to confidential files should only be granted to people that are required to use it as part of their job. Simply making policies won’t make a difference; organizations need to follow up with policy enforcement and also must provide employees with the right tools to keep them productive so they done need to resort to their own devices.