Infosec: Information Commissioner Denies Private Sector ‘Pussyfooting’

Information commissioner Christopher Graham has said he is not afraid to punish private sector organisations, rebuffing claims that the ICO is not heavy handed enough on corporations.

A Freedom of Information (FoI) request from security company ViaSat discovered that despite being responsible for 263 out of 730 self-reported data breaches between 22 March 2011 and 17 February 2012, the private sector has only received one financial penalty.

No bias?

Over the same period, eight public sector organisations were hit with £790,000 worth of fines. The biggest fine was £130,000 for Midlothian Council. “The private sector still has a relatively free rein,” said ViaSat CEO Chris McIntosh.

Yet Graham, pointing directly to the FoI in his keynote at InfoSecurity 2012 today, said he was aware of the problem in the private sector. “Every year, there’s a press release that goes around saying ‘the information commissioner doesn’t know what he is doing, he hasn’t noticed what is going on in the private sector’. Well, guess what? I have noticed.”

Talking to TechWeekEurope before the keynote, Graham said it was the second year running such a “stunt” had been pulled by ViaSat. An FoI from the company at InfoSec last year appeared to show the ICO had fined less than one percent of companies who had confessed to data breaches.

Graham said there was no bias when it came to public and private sector breaches of the Data Protection Act.

“The civil monetary regime is very specific and we look at every breach that comes our way. But we have to assess whether it’s a substantial and serious breach that’s causing distress and so on. It is all about whether the  data controller knew or ought to have known what the effect was going to be,” Graham said.

He claimed companies in the private sector would get in much more trouble if their customers caught them out. In those cases, fines would be higher than if firms had been more honest.

Yesterday, minister for science David Willetts urged businesses to be more forthcoming with information if they are hit by a breach.

“There are more civil monetary penalties coming,” Graham added. “The key driver for the private sector is that you maintain consumer confidence and we’ve got to the tipping point where consumers are increasingly aware and are very, very concerned about protecting their privacy.

“If companies don’t respect that, they are going to lose business to companies that do.”

As for whether the EU Data Protection Framework would make an impact on the way the ICO handles penalties, the commissioner said there was “a long way to go” on the proposed laws.

“There are a lot of negotiations to take place. I hope very much that we’ll get to something that is more doable, that’s less over-engineered and over-prescribed to enable regulators to do their job,” Graham added.

Fascinated by IT security? Try our quiz!