About time too
Hopefully this will lead to companies taking security seriously or, better still, not collecting information they don't need in the first place.
Hacking is big news and we’re all susceptible. In the UK, hackers could face jail time under the Computer Misuse Act, but the question on many businesses’ minds will be where the liability lies if they are hacked. The list of successful mega breaches continues to grow; extra-marital affairs site Ashley Madison hit the …
I'm unconvinced that the serial fines on financial services companies for various crimes have made the slightest difference to the overall culture that making money is an imperative before all others. And I therefore conclude that increased fines will mean the level and prominence of security theatre will increase in companies, but that the actual security will probably take a back seat in technology and budgeting decisions.
Risk, in corporatespeak is the significance of an event happening, multiplied by a guessed probability. If you can convince yourself that the probability is low, then the overall risk is low, and you don't need to invest money for security. Welcome to TalkTalk.
"not collecting information they don't need in the first place."
I'm not sure this will even occur to them. In the first place those making the decisions will probably have filled in a few online forms asking them for data that wasn't needed & will accept this as just the norm. In the second place wants will carry more weight than needs.
I really can't see how it could be monitored or controlled, but I'd really like to see some process by which companies are prohibited from charging customers more in order to cover the cost of fines and so preserve profits, and instead the fines come from salaries and shareholders' profits - hurt those who made the bad decisions, and force the shareholders to ask awkward questions.
If the board still get their bonuses and shareholders their dividends, at the expense of the customer then nothing will ever change.
I don't ever see this happening though.
Disclaimer: I have no HR affiliations.
"and HR and sales departments are the most often hacked because they are the least computer security aware"
HR is also at the pointy end when it comes to receiving legitimate unsolicited emails so they have to be far more aware than the average employee. Fake resumes and expressions of interest are very common vectors for phishing. So this is actually a bit harsh.
No no no, doesn't matter how many time you say it, SWIFT wasn't hacked. What was hacked was an Oracle Database running on Microsoft Windows. And a more relevant question is what indemnity do the providers of the computing platform provide when it gets compromised. The answer being none what so ever.
Fines aren't much of a deterrent in most cases. Usually because a new insurance/blame sponge sector springs up to cover the costs.
A good example of this is with banks and new laws to help tackle money laundering.
I hear that if KYC at a bank isn't performed to a sufficient level the people directly involved may be liable to be throw in porridge for 6 months. Im not sure if this is currently in place but it is at least in the pipeline. IANAL so I'm no expert here.
As a result I am aware of some people scurrying around gathering investment to build a solution that allows banks to hand the KYC off to a third party AND it be covered by some form of insurance. This muddies the water somewhat and allows banks to continue to carry on as before and simply build the cost of incompetence into their business model.
Counting the cost of fines as part of the running costs of a business is a widespread practice.
That said, I dont think jail time is the solution here either. I suggest being struck off from your industry and the fines being levyed on individuals not the businesses.
As I understand it thhe government are drafting a law to enshrine all EU regulations at point of Brexit into UK law. It will then take further legislaton to remove any we doon't like. So regardless of Brexit thiis will become UK law and remain UK law unless parliament enact to remove it.
Why would they? Its a decent law with the interests of everyone except people that breach it at heart (and to a certain extent its in their interests too).
Exactly. Upon Brexit the UK gov will preserve all laws except for those directly associated with Brexit. This will likely affect the UK contributions to the EU budget, the 4 freedoms (goods, workers, services & capital) and "red tape". This last one is the most vague (none of it is particularly certain) but I don't see culling data protection laws as being high up the agenda.
The recipe for 'original' Coca-Cola has been published in, amongst other things, the main history of the company. A rash of 'American' colas followed, but what they all lacked is the decades of marketing that means it still outsells the lot.
Similarly I doubt that the KFC recipe is secret. It's marketing.
I've been saying for a while now that the ICO should default fines for large companies to the maximum, then take in mitigating factors to reduce it, not build it up based on severity.
If companies know that they have to evidence the steps they took to mitigate attacks, show purchased products, training for staff, policies and procedures, pen testing etc they'd perhaps give a ****. As it is they are likely faced with fines which cost a fraction of this annually.
Default to the £500,000, then let them knock off 10 grand per control they can evidence.