The Information Commissioner's Office, the body responsible for enforcing the Data Protection Act and long considered a paper tiger, has finally grown teeth and served two organisations with hefty fines.
The fines come shortly after the ICO was granted increased powers offering the ability to punish company's lax privacy practices with fines of up to £500,000.
Although neither of the fines come close to the maximum permissible by the ICO's expanded powers, they're hefty nonetheless: Hertfordshire County Council was fined £100,000 for accidentally faxing personal information regarding ongoing care proceedings and a child sexual abuse case to the wrong recipients, while training firm A4e was fined £60,000 after losing a laptop containing the unencrypted personal details of around 24,000 of its clients - including names, post codes, dates of birth, their income levels, and the result of criminal background checks.
Although the fines come as welcome proof that the ICO does have the power to punish, there are those that believe the punishments don't match the severity of the crime. Ed Macnair, chief executive of user activity management firm Overtis, exclaimed: "In the case of the stolen laptop, the penalty is less than £3 for each lost record. When you consider the fact that A4e is a £145 million company, the breach has had a higher impact on the 24,000 individuals whose confidential information has been lost."
Mark Fullbrook, UK director at information security specialist Cyber-Ark was equally incredulous at the actions of the council, stating: "Hertfordshire County Council has committed a huge breach of security, using archaic methods to transmit highly sensitive material. Today’s news should hopefully serve as a wake-up call for all those that have ignored this ticking time bomb for so long. The products are out there, so organisations need to get wise or risk the wrath of an ICO eager to flex its muscles."
Fullbrook's comments should be heeded: with low-cost and even free software available to mitigate the effects of a lost laptop or misaddressed e-mail, such as the popular encryption package Truecrypt, there's no real excuse for the actions of either party.
With ICO likely on the lookout for more privacy pratfalls, companies had better clean up their acts if they want to avoid being next to receive a nasty fine.