£500k Fines for UK Breaches of Data Protection Act

New legislation comes into force in the UK today which empowers the Information Commissioner’s Office (ICO) to levy fines on businesses of up to £500,000 for breaches of the Data Protection Act.  Fines are avoidable if adequate security best practices are adopted now.

The ICO is clearly concerned about cases where unencrypted, confidential data residing on laptops and USB sticks has been lost and stolen.   The impact of the majority of these cases could have been avoided altogether by following security best practices.  The ICO must be satisfied that a breach is likely to cause “damage or distress” and that it was either deliberate or negligent, and that the organisation “failed to take reasonable steps to prevent it” before it will attach a punitive assessment.

Develop and enforce a robust security policy:

  • Governance regarding use of customer data – it should not physically leave the premises unless absolutely necessary.
    • Use advanced encryption for data that does have to leave the premises.
    • Restrict access to customer data only to those staff for whom it is critical.
    • Ensure that confidential data cannot be copied to portable media such as USB or CD/DVD.
    • Monitor information leaving via email and websites for appropriateness.
  • Protect and manage all PCs, laptops and servers
    • Maintain active, up-to-date antivirus, spyware and firewall protection.
  • Create strong passwords for all systems and hardware.
    • Use at least 8 characters combining numbers, letters and punctuation.
    • Don’t use the same password which is active on other accounts.
  • Don’t forget physical security
    • Shred documents containing personal information.
    • Don’t leave financial and sensitive information unsecured.
    • Educate employees to improve awareness of appropriate behaviours.

The Register