The carrot and stick approach to the adoption of public policy, regarding data protection and information security, isn’t new at all. Breach the law and you are expected to pay the penalty. In the case of breaching the UK’s data protection laws this can involve a fine, of up to £500,000, or even a custodial sentence for breach of a court order where one is issued. The fine is, you would have thought, the proverbial “stick”.
However Matt Gallagher, an unsuccessful candidate for Greater Manchester’s Police and Crime Commissioner, wanted a £120,000 fine, for the loss of a list of 1000 people linked to serious crime on a USB stick, to be given back to the force. His motives were noble enough. He wanted to re-invest the fine in training and awareness at the police force and to help improve their internal controls. But surely Matt Gallagher was missing the point? And as someone applying for the role of Police Commissioner I’d have hoped they’d have understood the principles at stake.
If the Treasury set a precedent for returning fines to the guilty what would be the motivation for complying with the law and in this case investing in security in the first place? How would this stack up to the legal principle of everyone being equal in the eyes of the law? Could private sector organisations argue the case that they should be able to invest in their security practices and controls rather than pay a fine? I could foresee people interpreting data protection risks as acceptable on the grounds that if an incident occurred there would be no financial impact, other than to invest in your organisations information security practices and controls. I’m not convinced that this wouldn’t undermine the value of the UK’s data protection regime.