Much fan fare was made in April 2010 of the increase in the size of the fine for a breach of the UK’s data protection legislation. In addition to this increase from a £5000 to £500,000 fine, the Information Commissioners Office made it clear that it was going to pursue those that breached the legislation with all of it’s powers.
Many suspected that the Information Commissioner office would bare their teeth and make an example of ACS Law, a solicitors practice, and its partners. ACS Law suffered a well publicised breach of data confidentiality with regards to data they were custodians of about customers of ISP’s who, it was alleged had infringed music, games and other digital content copyright in 2010. However today it is reported that instead of receiving a £200,000 fine, that Andrew Crossley, the owner of ACS Law, escaped with a £1,000 fine. The sense of injustice was high amongst several commentators in the media and privacy campaigners. Risk registers were changed from £500,000 to £1,000 when detailing the financial cost of getting data protection wrong.
So why the difference and disappointment?
The size of a fine, under civil law, is governed by several factors. The UK’s data protection legislation wasn’t designed to put businesses out of business. Fine sizes take into consideration the distress caused, the businesses efforts to, in this case, take reasonable and appropriate measures to ensure the confidentiality of data and it’s turnover and profit. So what can you learn from this? There is another option.
Lesson 1: There is an Option
It appears that ACS Law is no longer a trading law firm. This means the ICO brought the actions against the businesses owner. This is important. You can’t escape your data security obligations, as a business owner. Even if the business no longer exists the ICO will pursue you. That means any liability falls directly on you. But in turn the size of the fine was calculated against an individuals personal wealth. He’s given assurances about his income and worth and the fine was reduced to £1,000.
Is there something else to learn?
I think there is. Can this experience help information security professionals and amateurs give a realistic picture of the financial impact of a breach of data protection? Understanding how incidents have a financial impact is less distant than many think in some situations.
On a final note, though many have said the ICO missed his opportunity to make an example of a private sector business, I would say that on the balance of things he got it right. There is much greater value in this decision that one would at first think.
What do you think?