Analysis: Data protection is one area where ignorance can serve as a defence.
"One of the problems we have got as a community is that if you don’t fine people then they don’t do stuff."
Martin Sugden, chief executive of security firm Boldon James, takes a dim view of his industry. A veteran of the security industry, he believes the UK’s Information Commissioner’s Office (ICO) has been lax in punishing those who flout the data protection rules and are failing to deter bad behaviour.
Trawl through the security archive of CBR over the last few months and you would have to agree IT has a security problem. Take only the Heartbleed bug earlier this April and you have big names in tech caught with their trousers round their ankles.Looking at the headlines it would appear the ICO has issued seemingly few fines, 36 over the last two years, or roughly one every three weeks. Yet data continues to be lost every day.
Sugden attributes this to a number of issues, one being a desire to avoid eye watering fines at a time the country is coming out of recession. He believes the office is not as investigative as it should be, and subsequently is "slow to affect things". Mostly he has a sense that the office simply is not carrying out its remit. "I think the government should do what the government says it’s going to do," Sugden said.
Public and Private
It’s tempting when looking at the data to conclude the ICO has it in for public services. Over the past two years of fines on public agencies account for two thirds of those levied. Local councils and NHS Trusts are commonly in breach of regulations. But health or social service information held by those bodies is among the most sensitive any organisation can handle – even when compared with the financial data much coveted by hackers.
Businesses and charities have also been fined by the office, but more often for marketing than for data loss. Private bodies tend to collect data like email addresses than can often found in public locations such as social networks. As such when companies and charities are fined for big breaches it is more often a matter of scale than sensitivity. One example is electronics giant Sony, fined £250,000 January in 2013 for a hacker infiltration of its Playstation network.
Another reason the ICO rarely rules against big names is that the UK is not always responsible to investigate multinationals in the wake of breaches. The European Commission data protection guidance under the Article 29 Working Party means that one country tends to take the lead in investigating large conglomerates.
Commenting at the time of the eBay leak of 145 million customer details in May, information commissioner Christopher Graham said: "Our response is made complicated by the nature of a big multinational internet company like eBay. They’re an American company, so the [US] Federal Trade Commission will look into this. They’ve got a European headquarters in Luxembourg, and so the Luxembourg data protection authority will lead on an investigation in Europe."
This still leaves the question how the ICO calculates penalties of bodies within its remit. Fines in the last two years have averaged at £120,000, under a quarter of the maximum £500,000 penalty. The size of a fine is based on how great the contravention of data protection is felt to be, offset against the past record and immediate response of the data controller, as well the state of its finances. All of this is strictly set out in regulation.
Not always clear cut
The ICO rejects the claim that it is failing to deter companies flouting data regulations. Yet when asked about the Heartbleed bug in which millions of passwords were leaked, a spokesman from the office said it felt that companies could not have realistically known about the problem, and therefore their protection was "adequate". Ignorance is a defence, even if negligence is not.
Sugden said the Government "has to force medium to large organisations to meet the challenge" of data security. Whether he is right or wrong things are changing. The ICO may soon face an existential crisis in the wake of new EU data protection laws. "There’s a suggestion that it won’t get through," a spokesman said. "So we have to wait and see."
The ICO could certainly be harder with its rules and heavier with its fines, but for now it seems to be doing what it was set up to do. No company is ever likely to entirely protect its data, any more than every bank can protect itself against robbery. "It’s not so much a losing battle, but it is a battle," said Sugden. "Actually, it’s a war."