in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

What Type of Penalties Exist for UK DPA Violations?

There are a number of ways that the Information Commissioner's Office (ICO) can penalise a company for a data breach.

  • Undertakings
  • Enforcement Notices
  • Monetary Penalties
  • Custodial Sentences (Sought by the ICO)

Of the four, perhaps the monetary penalties are most famous due to its head-turning figure: a maximum possible fine of  £500,000.  However, the other ones are important as well.

Undertakings and Enforcement Notices

According to computing.co.uk,

Undertakings [are] where an organisation commits to a course of action to improve its compliance, and enforcement notices…can compel organisations to immediately stop actions leading to legal infringement.

So far, I have been unable to find an official definition for Undertakings from the ICO, but based on the Undertakings I've read, it is apparent that computing.co.uk is not off the mark at all.  In Undertakings, the data controller in charge makes promises to better secure their data, including the use of encryption software for laptops and other portable data storage devices.  (Perhaps looking for a definition from the ICO is asking a little too much.  The dictionary definition of the word "undertaking" is "a formal pledge to do something.")
In the ICO's own website, an Enforcement Notice is defined as:

Enforcement notice (Data Protection Act)
The Information Commissioner has the power to serve an enforcement notice if he is satisfied that a data controller has contravened or is contravening the data protection principles. The notice must set out the steps that the data controller must take to comply with the relevant requirements of the Act. The notice may be appealed to the First-tier Tribunal (Information Rights) which may confirm, amend or overturn it. However, in the absence of an appeal, if the data controller fails to comply with a notice, a criminal offence is committed.
[ico.gov.uk]

As far as I can tell, not following the promises and directives found in Undertakings and Enforcement Notices can eventually be tried as a criminal offence.

Monetary Penalties: Two Types of Monetary Penalties

You may be aware that the Information Commissioner’s Office has the ability to hand out fines of up to £500,000 for a data breach.  However, what is not normally specified is that this is a penalty charged to data controllers in the capacity of a data controller.  In other words, it's not a person getting fined, it's a company getting fined. (Exceptions, I'm sure, exist where a controller is not an organisation but an individual.)

There are instances, however, where a person or groups of people cause a breach on purpose (in other words, they pilfer or get unauthorized access to data, a direct contravention of Section 55 of the DPA).  In such instances, penalties are afforded on the individual max out at £5,000, as the ICO has ruefully pointed out.

These are explored in these separate pages:

Custodial Sentences

Custodial sentences (i.e., putting someone in prison) is as of yet not possible for the ICO.  However, this does not mean that one should not be concerned about it, either.  The Information Commissioner's Office has been seeking custodial sentences for people who endanger personal data since 2006, and the recent and past trends seem to further strengthen the ICO's position.

In a 2006 survey, an overwhelming majority agreed for the ICO to be empowered with the ability to hand out custodial sentences.  The issue is further explored in this page.

 
<Previous Next>

Laptop Encryption Software: Cloud Shredder Is An Interesting Idea... (Updated)

Disk Encryption Software: Warren County Community College Laptop Theft (Updated)

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.