The Information Commissioner’s Office (ICO) has revealed a huge increase in the number of penalties handed out for organisations in breach of the Data Protection Act. Over the last year, ICO has issued 68 warning notices for data security lapses, which is up 48 percent from the same point last year. Its fines reached nearly £2m over the last year.
According to these figures, the ICO has also increased the amount and frequency of fines it hands out, with 15 fines totalling £1.8m imposed over the past year – a significant increase on the mere six fines totalling £431,000 it handed out in the previous year.
Ross Brewer, vice president and managing director for international markets, LogRhythm, has made the following comments:
It is about time the ICO took a much tougher approach when dealing with data breaches, given the somewhat lacklustre approach of previous years. In today’s information age, nominal fines and letter-writing initiatives to warn about data handling simply do not cut it – hence the almost constant stream of data incidents still hitting headlines.
The ICO clearly needed to step up its activities – particularly as our own research showed that at the end of last year, 64 percent of UK consumers didn’t even know what the ICO was. In any case, of those that had heard of the ICO, just 33 percent thought it was doing a good job.
That said, these latest figures from Syscap clearly indicate a changing tide. The ICO seems to be taking data security more seriously and organisations will have no choice but to take heed if they wish to avoid the financial and reputational repercussions of a breach.
With the growing number of fines that the ICO is dishing out, it will be much easier for the public to identify those organisations that are being irresponsible with their data – and as an additional incentive, the increased penalty per organisation ensures that the impact on the bottom line will certainly be felt.
For organisations, the only way to prevent becoming the next victim of an embarrassing breach or damaging fine from the ICO is to move away from compliance-led IT to a best practice, holistic data security model. Rather than focusing on traditional perimeter IT protection solutions which reactively “fence out’ threats, instead, organisations should be embracing approaches that proactively and continuously monitor all IT log data generated by systems.
This enables the identification of seemingly unconnected events that indicate aberrant behaviour, ultimately allowing for the enable real-time remediation of any network anomalies and ensures constant compliance rather than on a case-by-case basis.