Businesses could be fined as much as £500,000 for failing to safeguard personal data under rules to be introduced in three weeks' time, but many employers remain unaware of the new regulation, a data protection specialist warns.
The rules, which come into force on 6 April, were announced last year as a response to the scandal in 2007 which saw HM Revenue and Customs lose track of the data of 25 million families receiving child benefit. At the time, the Information Commissioner's Office said it wanted additional powers to crack down on organisations that do not take all necessary precautions against such loss.
Although there have been a series of high-profile cases since the HMRC data loss, including several financial services companies losing customer information, there has been no sign that organisations have begun taking data protection more seriously. More than 700 businesses, government bodies and charities have lost data, according to the ICO.
Jonathan Care, of MWR InfoSecurity, a risk consultancy that specialises in data protection, said that once it was granted new powers next month, the ICO was likely to become much more aggressive in targeting organisations failing to ensure all personal data is properly looked after.
"The main problem is that most companies have little idea that the new regulations are being introduced and some have still not put in place basic security to ensure that personal information stored on systems is safeguarded," Mr Care said.
He added: "We frequently see fraud perpetrated against poorly secured systems where the information can simply be pulled off by an attacker."
In addition to lax security standards, many companies have failed to put in place procedures to prevent staff from putting data at risk by losing laptop computers, memory sticks, CDs and other storage devices.
Many of the most notorious breaches of the Data Protection Act, the legislation which governs the security of people's personal information, have been this sort of breach, rather than an attack on a company by an unauthorised computer user.
While the largest fines will only be levied in the most serious cases, Mr Care warned that any organisation storing sensitive data would be vulnerable to ICO action unless it could show that adequate controls are in place to prevent security breaches.
The ICO's new powers mark a substantial step-change for the watchdog, which until now has only been able to threaten organisations with legal action. As a result, while financial services businesses have been punished by their own regulators for losing data, many other organisations have got away scot-free despite breaking the law.Reuse content