New penalties “change the data security ballgame”
On April 6, the ballgame for data security in the UK changes because, as from that date, the Information Commissioners’ Office (ICO) has the power to fine organisations up to £500,000 – up from £5,000 previously – for serious data leaks or losses.
According to Amichai Shulman, chief technology officer with data security company Imperva, the critical element in this regard is clearly stated in the ICO’s guidance on the new penalties (http://bit.ly/5byF1f) for breaking the provisions of the Data Protection Act (DPA).
The guidance states that penalties will be incurred where the “data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress.”
“The crucial wording in the guidance notes is that `the data controller must have known – or ought to have known – that there was a risk that a contravention would occur and ought to have known that there was a risk that a contravention would occur’,” said Shulman. “The problem is the emphasis on being honest upon discovery of a breach which could actually encourage organizations to have lax protection policies and robust CYA policies. Penalties maybe necessary but governments should try to be constructive side and focus regulations on the protection side rather than on the disclosure side.”
Shulman draws parallels between the enforcement of the DPA and that of the Payment Card Industry Data Security Standards (PCI DSS) imposed on organisations that accept card transactions from their customers.
“PCI DSS,” he said, “takes the pragmatic approach of defining exactly what has to be done and effectively giving the IT manager a blueprint for their data security plans.”
Shulman added that the US state of Ohio adapted PCI and turned it into a state law, known as the “Joe the Plumber Law.” The name comes from the 2008 US Presidential elections when Ohio state employees released personal data belonging to a John McCain supporter euphemistically known as Joe the Plumber.
PCI has a very promising benefit that government regulators should consider seriously. In September 2009, a Ponemon study highlighted that PCI enabled companies to make security a strategic initiative which led to fewer breaches. “The survey indicated that while some companies have figured out how to convert PCI standards into an overall security mandate to make their enterprises much safer. That’s the type of behaviour to encourage,” explained Shulman.
Shulman added that PCI DSS is not a perfect prescriptive solution because, as hackers and cybercriminals develop new security attack methodologies, the rules need modifying to keep up with real-world events.
“This is why the PCI Security Standards Council has outlined plans to create version 2.0 of its standards later on this year. The UK regulators need to take heed of this approach and move from a penalty-driven culture to one that involves a much clearer definition of what organisations must do to meet their requirements under the DPA,” he said.