Data watchdog lacks bite for business lapses

The Tory focus on punishing data breaches in the public sector risks letting business failings off the hook, says Alan Calder.

Last week, the Conservatives announced plans to 'reverse the rise of the surveillance state', with expanded powers for the Information Commissioner's Office (ICO) to police the public sector.

There is much to be applauded in this document, which recognises how shockingly inept government is at protecting our personal data. But its treatment of the private sector is weak in comparison and fails to recognise that the ICO needs greater powers to bring directors to heel.

Personal information
A vast amount of personal information is held by the private sector. Store cards, banking systems and social media are just some of the things that are now central to our lives. While the Tories are technically correct that we surrender information to these voluntarily, their position overstates our freedom. If the alternative is to live 'off the grid' in today's technological world, just how much choice do we have?

The Conservative document states blithely that "business is generally much better at protecting data", and that companies have ample incentive to safeguard customer information. But if that were true, then why are we faced with stories of corporate data lapses on a regular basis, which companies could so easily avoid?

The Tories are overlooking essential truths. Time and again, businesses have failed in their duty to customers, indulged by our puny regulatory climate that gives little incentive for them to improve.

Real penalties
When businesses fail in data protection, the Financial Services Authority is presently the only body able to impose real penalties. The fine it recently imposed on three subsidiaries of HSBC is the costliest yet brought against a business.

The FSA's intention was to make executives focus on this responsibility, and at least it was turning up the heat. However, will a £3m fine make any difference to an organisation that counts its profits in billions?

While HSBC will have felt some embarrassment, the financial penalty is almost a pinprick. If penalties like this actually had an effect, then why was it necessary to take action against HSBC only two years after Nationwide's £980,000 fine?

And yet, it is incredibly cheap for companies to do their duty in this area. Nobody has to reinvent the wheel — ISO 27001 sets out how to manage data systems securely, while BS10012 shows how to meet the requirements of the Data Protection Act. Even for a Goliath such as HSBC, the necessary work and staff training would not exceed £100,000; smaller businesses can become compliant for far less.

Given that fines seem ineffectual, the prosecution of individuals, sadly, seems the only alternative. It is time for data security to be given proper emphasis, which means custodial sentences for chief executives, chief information officers and senior civil servants who wilfully disregard the law.

But here is where we fall down. The ICO is the obvious body to pursue such actions, but it has neither the resources, nor the power, for real change. The Health and Safety Executive has a budget and staff about 20 times the size of the ICO's, as well as powers to fine and inspect. Is it any wonder, therefore, that health and safety legislation has thrived, while data protection is so weak?

The ICO is also hamstrung by the lack of sentencing guidelines. Although repeatedly promised, these seem endlessly stuck in committee, allowing offenders to continue their work unpunished.

Opening salvo
So, while I welcome this opening salvo from the would-be next government, the Conservatives need to focus as much on business as on the public sector. Merely floating the idea of a voluntary kitemark scheme in a private sector consultation is almost an invitation for boards to put their feet up.

I would like to see the Conservatives pledge an ICO budget raised significantly from its present low level, and expedite the publication of the essential sentencing guidelines. They should make the adoption of ISO 27001 and BS10012 mandatory for UK businesses above a certain size.

As their crowning achievement, they should also champion a pan-European data breach directive; companies that fail to protect personal data must meet in full the costs of restitution, as well as pay substantial financial penalties.

If not, it is time to start demanding that our elected representatives take this subject seriously. They must enact legislation that has teeth, and commit the level of financial support that enables those teeth to bite.

Alan Calder is an information security author and chief executive of security and compliance organisation IT Governance.