This Blog




AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.


AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Is the ICO Targeting Government When Handing Out Monetary Penalties?

The Information Commissioner's Office (ICO) claims that, despite the development over 2010 − 2011, it is not targeting government bodies when handing out monetary fines.

(Strictly speaking, the correct term is "civil monetary penalty".  A fine is related to criminal offences; a violation of the eight principles in the Data Protection Act is not a criminal offence.  Regardless, the terms "fine", "penalty", "monetary penalty", etc. will be used interchangeably in this post.)

A History of Monetary Penalties

The ICO gained in April 2010 the power to assess fines up to £500,000 for data breaches.  As of October 2011, the following fines were handed out.

  • November 2010 - Employment services company A4e is fined £60,000 for the loss of an unencrypted laptop affecting 24,000 people
  • November 2010 - Hertfordshire County Council is fined £100,000 after staff send a fax to the wrong recipients
  • February 2011 - Ealing and Hounslow Councils are fined £80,000 and £70,000 respectively for the loss of an unencrypted laptop affecting 1,700 people
  • June 2011 - Surrey County Council is fined £120,000 for sending sensitive emails to the wrong address

As you can clearly see, all but one are local authorities.

The act of fining public sector organisations is, if not controversial, definitely frowned upon: a fine on a government body is essentially a tax on constituents since the organisation is publicly funded.  Other than the monetary fine, no other punishments are handed out; purportedly, the people who instigated the breach are still there, working and collecting benefits.

In February 2011, Valerie Surgenor, an IT and IP specialist lawyer, noted the odd pattern of fines:

"We need to ask why is this the case when we can see from notices on the ICO website that breaches are also carried out by private companies on a regular basis, but it would appear they don't seem to be getting targeted."

Surgenor observed that private companies tend to more vigorously fight penalties, and perhaps this was the reason behind the biased handouts of fines.

Conspiracy theories notwithstanding, the observation is an astute one.  If you look at the list of companies that were fined, you'll see that A4e, the only private enterprise on the list, has been fined the least despite its breach affecting the most people, further feeding fuel to the allegations.

The Flip Side of the Coin

On the other hand, there is also criticism that fines are not being handed out as often as they could or should be.  In this April 2011 article at The Register, it was revealed that, of the 2,565 data breaches reported to the ICO since it gained the ability to handout fines, only four cases actually resulted in penalties, all of them below the £100,000 mark. (Thirty-six of those cases resulted in some kind of action, including cases where monetary penalties were assessed.  Only seven were in the private sector.)

Also of interest: "nearly one in five of the reported breaches…came from the financial sector".  If you study the above list of organisations that were penalised, you'll notice that none of them are in the financial sector.

The ICO Responds

The Information Commissioner's Office has responded to such criticisms by noting that:

"Our focus as a regulator is on getting bodies to comply with the Data Protection Act," said an ICO spokesperson. "This isn't always best achieved by issuing organisations or businesses with monetary penalties."

"The action we will take depends entirely on the details of each individual case. The existence of civil monetary penalties has had a markedly beneficial effect on compliance generally."

It turns out that the ICO has been in contact with each of the reporting organisations and "informal resolutions" were carried out to fix any underlying problems.

Furthermore, the ICO does not have the ability to hand out monetary penalties willy-nilly (my emphasis):

For a monetary penalty to be served, the Information Commissioner has to satisfy a strict set of criteria, which is set out in the Statutory Guidance."

"This guidance has been approved by the Secretary of State and laid before Parliament. It makes it clear that the Information Commissioner may impose a monetary penalty notice if a data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress."

The ICO has further clarified, in addition, the contravention must either have been deliberate or the data controller must have known or ought to have known there was a risk it would occur and failed to take reasonable steps to prevent it.

"We will always consider the imposition of a monetary penalty where these criteria are met," said the ICO.

In other words, the ICO denies any allegations that it is shirking from its responsibilities when it comes to properly assessing fines, or that it is giving preferential treatment to the private sector.

Also, regarding the 2,565 breaches, the ICO has this to say (my emphasis):

…over half of these complaints concerned subject access requests whereby an individual has either not been provided with all of the information an organisation holds about them or has not received this information within 40 days.

"The figure for reported cases – where information has been disclosed or lost and a monetary penalty is therefore more likely – is only around a quarter of the total mentioned.

When you consider the above explanation, the results don't appear that bad.  While being unable to provide personal details to the data subject is technically a breach of the DPA under the law, it's not the type of breach that puts the person at risk (at least, not usually).  Of course, a serial offender should be penalised but, personally, I think fines ought to be reserved for more dire situations.

On the other hand, a quarter of 2,565 is 640.  Four companies fined out of 640 possible cases results in a penalisation rate of 0.6%, which is much higher than the 0.15% under 2,565 total cases, but still a very tiny size.  In fact, so tiny that it makes one wonder whether the critics are right….

Perhaps we ought to be less cynical and view the results as 99.4% of breached organisations not necessitating monetary penalties because they're not completely incompetent.  Personally, I find that hard to swallow.  A 99.4% success rate is an incredible success rate and is usually associated with the darker sides of society (be it collusion, graft, despotism, etc).

Regardless, accusations that the ICO is not doing enough are not entirely fair.  We should take into consideration that the ability to hand out significant fines has been in place approximately eighteen months, a relatively short time.  To date, the biggest UK data breach affected nearly half of the UK, 25 million people.

The £500,000should be reserved for cases like these, not a one-time event where a "paltry" 24,000 people are affected.  Certainly, it's a big number, but is it as big as, or anywhere near to, 25 million people?

<Previous Next>

Breaching Section 55 of the UK Data Protection Act

Disk Encryption Software: Henry Ford Announces Third Breach, Infectious Diseases Computer Stolen


No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.