Isolated comments... » fines

Its getting personal….

admin — Fri, 08 Apr 2011 23:26:22 +0000

This is interesting … many pieces of legislation in relation to data protection have some nod towards personal and directors responsibility in relation to non compliance, but seldom is the noose hung around an individuals neck. This changed a few days ago when the US Securities and Exchange Commission charged three executives for failing to protect customer data and imposed personal fines of between $15k and $20k. What is interesting is that the fines were imposed entirely based on privacy breaches, showing yet again that there is a very fine microscope now being directed world-wide at data protection and privacy issues. European legislation incorporates a responsibility on not only directors and managers but anyone in control of data to exercise a duty of care; it is now only a matter of time before individuals are brought in front of the man with the curly wig to explain their disregard of the rules. Interesting times ahead, watch this space.

Cinderella finds her slipper…

admin — Fri, 10 Dec 2010 19:34:00 +0000

There is a lot of interest at the moment in security, data loss prevention and data protection in general. While the media interest surrounding data breaches continues and reputations are slowly torn at the edges, some interesting things have happened recently that are pointing towards a very interesting future ahead for those of us involved in the sector. I’m not going to go into much detail – suffice to say that the unfolding storm that is Wikileaks has focused the attention of Corporate leaders on the issue. Couple this with serious fines imposed this year in relation to data loss by the Information Commissioner in the UK (£160k), the UK Financial Regulator (£2.28m) and most recently the award of $1.3bn (yes, read that again, its billion!) won by Oracle against SAP for software/data theft in the US. Finally, in November, the German Data Protection Authority imposed a fine of €200k for using customer data for marketing purposes without consent.

Suddenly it seems security is being taken seriously – its no longer the Cinderella in the room. In these turbulent times it beholds every executive to examine their processes carefully and ensure that they mitigate risk and the untold damage that security breaches can do by embedding solid security principals right in the centre of the organisation. Neil MacDonald of Gartner wrote a very interesting article earlier this year where he talked about the importance of getting away from focusing on data loss prevention and instead looking at data lifecycle protection, in the article he reiterated a clear conclusion: “Data protection is the process of identifying and understanding where and how sensitive information is created, consumed, processed, moved, shared, stored and retired and protecting it throughout this lifecycle.” And that is really what it is all about – Data Protection is not about silver bullets, its not about raising impenetrable steel walls, its about embedding security and data protection in at every stage of the business process – clearly it makes good business sense, and it absolutely can add value when done correctly. Data Protection is tightly linked with Data Quality and our colleagues over at Castlebridge Associates have been flying this flag for a long time. The Information Commissioner of Ontario Canada, Dr. Ann Cavoukian has been advocating a system called “Privacy by design” for a long time. She has a free eBook available which is a very good primer and worth reading.

In the meantime, we will go back to solving the big problem – making compliance easy, one ~~slipper~~ step at a time…

Watch this space!

The bulldog finally bares his teeth…

admin — Thu, 25 Nov 2010 11:05:14 +0000

Wednesdays announcement by the UK Information Commissioners office of its first public fines now shout loud and clear to leaders of organizations that the legislation is real, and penalties for not doing the right thing in relation to personal and sensitive data is considerably more than a slap on the wrist. Hertfordshire County Council was fined £100,000 for a breach of protection, allowing details of a child abuse case intended for a barrister, to be sent to the wrong fax address and A4E Limited, a company which operates the Community Legal Advice Centres in Hull and Leicester and also has other contracts with public sector, was fined £60,000 for failing to comply to multiple points within the legislation. A4E critically failed to secure a laptop that was being used by a remote worker which contained very sensitive personal information on clients and was stolen from the remote workers home. The Data Protector has interesting comment on his site here. Stewart Room also talks a lot of sense.

http://www.ico.gov.uk/~/media/documents/library/Data_Protection/Notices/hertfordshire_cc_monetary_penalty_notice.ashx
http://www.ico.gov.uk/~/media/documents/library/Data_Protection/Notices/a4e_monetary_penalty_notice.ashx