back to article UK data watchdog: Massive fines won't keep data safe

The UK’s data protection watchdog has said issuing fines "left, right and centre" is not the way to ensure privacy. However, Information Commissioner Christopher Graham added that this doesn’t mean his office shouldn’t have those exact powers at its disposal. “The obligation laid on data protection authorities always to fine …

  1. Zippy's Sausage Factory

    In other words...

    "We want the ability to not fine someone quarter of a million if they actually spend half a million beefing up their security and start taking it seriously, because otherwise management might decide that if they're going to get fined anyway and can't avoid the bad PR they might decide not to bother with better security"

    That's how it reads to me. (And yeah, seems sensible)

    1. Doctor Syntax Silver badge

      Re: In other words...

      I think I'd prefer "you spend the half million and here's a quarter of a million fine just to remind you of what'll happen if you have a relapse".

      1. Mad Mike

        Re: In other words...

        Fines are never the answer. Most executives are at a company so short a time that they don't care about the company, whether it survives or financially viable. They're there top make a few quick bucks and then move on. So, if they get away with it and don't get caught, more money for the bonus pot. If they do get caught, worse case the company disappears and you move on. It's a win/win situation for execs.

        The only solution is to make them personally responsible, with serious personal fines and jailtime. Take away plausible deniability and make them demonstrate exactly why they're not liable rather than prove they are. Make them prove they did enough. Then, execs might start taking this stuff seriously.

        They're paid a lot of money for the responsibility they supposedly carry. However, in reality there isn't really any responsibility. So, let's make them responsible and earn their money.

        1. Anonymous Coward
          Anonymous Coward

          Re: In other words...

          Unfortunately there are so many inept CEOs and corrupt politicians that it's extremely rare to hold the CEO accountable for anything though they certainly should be. If Bill Gates, Tim Cook and other corporate criminals went to prison for 35 years as they should for their crimes, then we'd see CEOs take their jobs and security much more seriously. Otherwise they just pay lip service to security and corruption.

        2. streaky

          Re: In other words...

          Fines are never the answer

          They're not the answer but if they're big enough and often enough they might be enough to prevent people cutting corners short term. What I'm saying is they're not going to suddenly secure every system in the country but they might help drive investment in competent persons and stem the security brain drain and outsourcing.

  2. Doctor Syntax Silver badge

    IIRC the original DPA had a sanction to forbid the offender from processing data. That's what I call an effective sanction.

    1. Lee D Silver badge

      It takes a day to form another company with the exact same staff and then "outsource" all your data handling to that company.

      That's probably why that sanction never persisted in law.

  3. Anonymous Coward
    Anonymous Coward

    I agree fines are not

    Fines for some companies are just the cost of doing business.

    Consent decrees however and criminal penalties for the execs for breaching them... That is an entirely different ball game.

    1. Charles 9

      Re: I agree fines are not

      Thing is, the executives remove themselves from the nitty-gritty so they can claim plausible deniability. As for consent decrees, what if they decide to take their ball and leave instead? Plus there's the risk of collateral damage to innocent customers.

  4. Chris Miller

    Fining corporates bodies is pointless (unless the fines have 10 digits), particularly publicly-owned bodies. Make the directors personally liable. A few cases of bailiffs towing away Bentleys and confiscating the title deeds to the agreeable villa in Tuscany might persuade some of them to start taking security seriously.

    1. Anonymous Coward
      Anonymous Coward

      The directors take great pains to remove their liability for misdeeds. They act in broad: one step removed. Pinning the blame on them would be like trying to pin the tail on a runaway donkey.

      1. Mad Mike

        Turn it around

        Change it around and make them prove they've done enough. There's plenty of places in English law now where you're guilty until proven innocent.

        1. Anonymous Coward
          Anonymous Coward

          Re: Turn it around

          No, No, No.

          Let's never go down that road.

      2. the spectacularly refined chap

        The directors take great pains to remove their liability for misdeeds. They act in broad: one step removed. Pinning the blame on them would be like trying to pin the tail on a runaway donkey.

        There are established mechanisms to deal with that: for example you can use the Health and Safety at Work Act as a template in that regard. Directors are personally (and criminally) liable for any breaches of the act within their company. They can't wriggle out of it and transfer the responsibility on to someone else, in fact attempting to do so is itself evidence of guilt.

        However, it doesn't matter what they do, in any company of a few thousand people there is always going to be plenty of stuff going on that the directors are completely unaware of: if two junior staff decide by themselves to develop a "more efficient" way of work that is unsafe management do not necessarily hear about it until it is too late. Their only effective defence in such a case is to point to procedures they have in place: for example that safe working practices have been determined and staff have been trained in their use, that relevant equipment is provided and in appropriate condition, that regular health and safety audits are carried out, and there is a well defined whistle-blowing mechanism to raise issues that still crop up. If you can show all this the courts take a reasonable view - you did everything practical to ensure the workplace was safe but shit happens, therefore no guilt attaches to you as a result of this accident.

        There is no reason in principle data protection could not be similar. I'm not entirely convinced about criminal liability - calling for that to me always sounds like vindictiveness after the event, and putting too much control at the very top is also putting that control into the hands of non-specialists - but I'll leave that to one side. I think (hope) this is the point the ICO are trying to make - the fact there is a breach should not necessarily lead to a sanction. If there was gross negligence and sloppy practices then sure, fine them and fine heavily. If on the other hand you can point to solid procedures in place to protect data and that they are subject to regular review to keep them current, but still have a breach falling in to the "shit happens" category, perhaps that should be viewed as an opportunity for review as to how defences can be improved in future.

  5. Amphibious RawCod

    A £250,000 pound fine to Sony is literally nothing. I am reminded of the scene in Quadrophenia when Ace Face offers to pay the fine on the spot.

    1. Anonymous Coward
      Anonymous Coward


      I agree - the problem with the ICO is that the fines are a joke for most major offenders.

      I doubt Sony would have noticed £250k as anything other than a rounding error in its corporate accounts.

      For some, small, businesses, the fines can be painful, but on the whole they just wind up the company and start again. It all boils down to the cost of doing business.

      If we use Staysure as an example, the ICO fine averaged about £1.50 per record breached. In 2012 Tetrus telecoms was fined for selling records at a reported £5 per record. This implies that each record is worth a reasonable sum to companies and the fines for mishandling are off-kilter.

      What the ICO needs to do is make company directors / CEOs personally responsible for data in their organisation and send them to jail if they deliberately cut corners and get breached. I dont mean a mandatory jail sentence, but it should be an option to prevent "cost of business" decisions.

  6. Anonymous Coward

    Money is no object

    12 months in the Scrubbs picking up the shower block soap for Big Jim may have more impact.

    Also imprison a few bankers and non-dom newspaper proprietors for good measure.

  7. Ian 62

    Fine is a contract employing someone

    How about a fine that directly funds someone elses job.

    Leaky data, Pays a contract for a security consultant?

    Dirty hospital, pays a contract for a cleaner?

    Corrupt bank, pays a contract for an auditor?

    Corrupt copper, pays a contract for legal advisor?

    Crap school, pays a contract for teacher training?

    Keeps the money going round, maybe gives a few real people some real jobs, and gets the problem directly addressed?

    1. Charles 9

      Re: Fine is a contract employing someone

      They're trying that with Apple in the US, and it's still rather messy over there. How do you deal with that without trampling on the rights of the customers?

      1. Trevor_Pott Gold badge

        Re: Fine is a contract employing someone

        Customers haven't had any rights for decades. Why start worrying now?

  8. 45RPM Silver badge

    Nothing will keep data safe

    If the government passes laws to mandate the inclusion of back-doors in all encryption systems then nothing will keep data safe - and having a watchdog will be pointless and a waste of money. It's like installing a state of the art security system and then leaving the key under the flowerpot.

  9. Anonymous John

    The bleeding obvious.

    The taxpayer/customer/pays the fine and the person responsible doesn't give a flying ****.

  10. Mad Mike

    Most effective solution

    The most effective solution to prevent data breaches etc. is simply not to store it in the first place. Some data is required of course, but huge amounts of data, not really required, are kept by most businesses. How many companies have got records going back decades? How many know far more about you than is really required to perform their business? A lot.

    If you don't have the data, you can't leak it!!

    Many companies actually go out of their way to obtain more and more data about people without having any real idea of its value or what they're going to do with it. The view is, the more data they have on a customer, the most useful it MIGHT be in the future. Much of it proves not to be, but is a big leak risk.

    1. Anonymous Coward
      Anonymous Coward

      Re: Most effective solution

      "The view is, the more data they have on a customer, the most useful it MIGHT be in the future."

      It's the "save it for a rainy day" attitude. The LAST thing they want is to learn that something obscure can be turned into the Next Big Thing...only to learn they stopped collecting the stuff a long time ago. For them, the opportunity cost of keeping things for a rainy day (even with the risk of a breach) is less than missing out on the Next Big Thing, which could be an existential threat if they're not in on it. Since they're up against an existential threat, the only thing that will shake them is another existential threat, only more likely. Trouble is, threatening something like that can bring collateral damage just from the threat.

  11. Anonymous Coward
    Anonymous Coward

    £250k? Is that all?

    The problem isn't the fine, the problem is the fine isn't big enough. £250k is *nothing* to Sony. It won't even register. Simply fine £1,000 per breach. Millions or user details lost? Yeah, that fine *WILL* hurt.

    In fact, that fine would be so large that the likes of Sony might actually start to give to shits and implement decent security.

    Then again, we are talking about a company that thinks it's perfectly OK to launch a global cyber attack against its own customers.

  12. Anonymous Coward
    Anonymous Coward

    Make the fines actually hurt

    Token fines don't dissuade any crim be it a CEO or hacker. Serious fines and prison time however will deter many. When you fine Microsucks 1.5 billion, it don't mean nothing to them. Bill spends that amount on lunch. If however you fine them a hundred billion, now you've got their attention and that of their stockholders who are going to lose their dividends and stock value from the crime and the fines.

    Sending CEOs to prison will also make a huge change in the ideology of most corporations. As it stands now a CEO can allow his company to perpetuate all sorts of criminal activity or be grossly negligent in security and never suffer any personal punishment. The company gets a small fine that routinely doesn't even relate to the profits generated from their crimes or the damage done to their customers.

    1. Anonymous Coward
      Anonymous Coward

      Re: Make the fines actually hurt

      But the thing is, they can reasonably argue that they weren't personally responsible for the actions of those underneath them. It's part of how the corporate hierarchy works: each higher level only knows the activities of the lower ones in broad. That's why they're structured the way they are: the specialists are supposed to be doing the actual nitty-gritty. Doing what you demand would force the structure to becomes micromanagers, and people tend to hate micromanagers.

      This combined with an "innocent until proven guilty" legal standard means the only way you can nail the executive is to pin them to a specific crime, and having an underling ruin things isn't a crime unless you can prove they knew what was going on, which they can just deny and the other executives swear by the lie.

  13. Anonymous Coward
    Anonymous Coward

    Saying fines aren't the answer isn't the answer either...

    I see a worrying trend here. Much like crooked banking, we'll soon have 'deferred prosecutions' along the lines of: Please don't fine us, let us put the same amount into our tech infrastructure instead...

    But the truth is corporations are being behaving badly by repeatedly requesting and storing information they have no right to, just in case they can think of ways to monetize it or sell it down the road. Take the Reg article below for example.

    What data regulators should be doing is auditing more companies and insisting on the mass purging of 'our data'...


    "Security expert Troy Hunt has taken a look at what mobile apps collect to send home to their owners, and isn't impressed: even PayPal is still addicted to invasive habits....they’re obtaining data from me that I had absolutely no idea about”.

  14. Anonymous Coward
    Anonymous Coward

    Cut off their access to the Internet

    The company, its executives, the members of its board.

    That should make it easier to do the right thing.

    Best part is, it doesn't require the government to make that happen. Just some strategically placed mis-routing buried so far in the system that it will take them decades to sort it out.


    What does it take to get the ICO to do actual work?

    The excuses...

    "We are not IT experts"

    Then... "ICO are not IT experts and we lack the power to fine"

    Then... "ICO are not IT experts and have the power to fine, but the fines are not big enough to make it worth bothering"

    Then... "ICO are not IT experts and have the power to fine, and the fines are now big enough to hurt offenders, but we are still not going to do it because it might hurt offenders"

    And now they wonder why, despite 97% public awareness of data protection, only 1% of respondents would bother complaining to the ICO when a data protection offence occurs.

    The ICO are absolutely pointless. The truth is there is effectively no data protection in the UK at all. It doesn't matter what the law says any more. Doesn't matter what you think your rights are. No regulator will protect you. No law will be enforced.

    Do not trust the ICO to defend your privacy rights against crooks. It never happens.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like