UK watchdog's punishment for Blackbaud, Easyjet, other big privacy lawbreakers was slap on the wrist in private Blackbaud was given a private slap on the wrist by the UK's Information Commissioner's Office (ICO) after paying off criminals who stole users' financial data from the cloud CRM biz's servers. The astonishingly mild sanction was revealed in a Freedom-of-Information response after senior data protection specialist Jon Baines at …
But that's the problem: the damages are unknown and unknowable, particularly with future risks of, for example, identity theft.
The restitution should not be damages except where they can be explicitly shown and proven; they should be punitive to persuade companies that, hey, guess what, it's not a cost of doing business, it's a good idea to get some better security organised.
And it was likely to be top grade ID data for travel - passport number, genuine DOB, address etc. So those damages not that far fetched - really needs a proper punishment instead of minor fines or "reprimands" (I'm assuming SMEs don't have the right contacts to know the special approaches needed to get a reprimand instead of a fine)
Maybe I'm odd but very few sites have my full real details, especially DOB, huge difference in info a site gets from me when its a legal requirement for them to be accurate (e.g. travel out of UK), compared to what they get when accurate data is not legally mandatory.
... Amazing how many sites are happy with a DOB that would make me the worlds oldest person by quite a few years.
Ah, but you don't deal with the Home Office every 10 years - your data is used constantly and every time you travel into and out of the UK etc.
The data at the passport office is also increasingly used to help confirm you identity, for example by providing your photo image to other "agencies", such a for renewing photo driving licences.
Prior to GDPR the ICO openly wasn't interested in pursuing companies that were involved in data leaks. When pushed excessively it's fines typically never went over a few thousand pounds, and they were rare. Then the GDPR came along and all that changed. It was power hungry, huge fines being thrown out all over the place. But then the fines (mostly) went unpaid. Now Brexit has been and gone, the ICO seems to have reverted to it's pre GDPR behaviour. It's political masters don't want to be rocking the boat when there's trade deals to be done with the very people who don't give two hoots about data protection.
"We will publicise these if it will help promote good practice or deter non-compliance."
This should apply particularly to all public bodies who, in theory, are or should be answerable to the public.
Obviously fining them means the fines being paid from the public purse so the minimum ought to be to shame them publicly.
The reason they don't publicise these wrist slappings is simple. Once other organisations know that these transgressions have gone unpunished then they will no longer fear GDPR or the ICO.
Clearly the ICO do not publicise these non-punishments because they are embarrassed by their own weakness.
What I would be interested to know is whether the ICO chose this track off their own bat or if they have been instructed to do so by government. I suspect the latter and if this is the case questions should be asked in the house. However with the feeble opposition we have at the moment it's unlikely that the questions will be asked and even if they are the opposition will probably accept some pretty feeble answers.
Whilst the effectiveness and appropriate size of fines is a reasonable matter for debate, the fact that there was no requirement to toughen up their security after the incident is appalling. It only leaves the suspicion that the government has turned the ICO into a paper tiger that lets companies get away with stuff, due to some blind ideology about regulation being "bad for business".
What's really bad for business is sending the message that UK companies are allowed to have poor security in the name of not "burdening" them with the cost of implementing it. Why do business with them if they're allowed to play fast and loose with your data?
We have a previous MI6 employee yesterday telling us that all forms of cyber espionage, and hacking is a serious threat, and then the government ignoring the basics of information security.
Then the debacle of NHS data being sold off too.
It is obvious that the government are really not bothered about protecting its citizens.
I think this is caused by a number of different issues:
Ignorance - many in Government STILL have little comprehension of IT & Data Security
Vested interests - simply, follow the money, they will always think about themselves first and as we have seen with all the "second" jobs MPs have, they only care about themselves.
Timescales - Government (any) is incapable of thinking about anything much beyond the current term or Parliament.
They don't care - this is a general malaise in the population as a whole. There are too many people who through lack of understanding and apathy, simply don't care.
I have twice send emails to them over the last year asking them to delete my data from their databases as per my "right to be forgotten". The first one came back with an automatic reply saying they were busy and would get back to me soon.
Fast forward a year and I still have no reply.
Reprimands should be limited to 2 cases only:
1) Public bodies, where a fine is irrelevant (moving money around government, and no impact on the organisation). In that case the breach should always be publicised so that the appropriate oversight (civil service, parliament, and the public) can make sure the problem is not just fixed but lessons are learnt.
2) Small companies, where the ICO decides that the company, and the public, are best served by the company mending its ways, and a fine is not the way to force them.
Reprimands should never be used for large commercial companies who have made a clear breach. Those companies can afford to take advice and do audits and must be incentivised to beef up their internal systems and processes to make sure they not just take external advice but act on it.
If the company took advice but decided to go against it then there should be legal action against the directors personally.
The ICO doesn't issue fines and it never has done. It issues Monetary Penalty Notices, essentially the same thing but legally different as there is no set banding of fines levels among other things
Its a pedantic thing not helped by the outgoing IC being fond of the term fine during her myriad of public appearances but now she has gone back to Canada hopefully the new incumbent will at least use the right language and be less fond of a public appearance
Just received the final response from ICO on a case I raised about 6 months ago.
Once again whilst the ICO indicate that they agree the government agency did not comply with GDPR and PECR the case is now closed with their usual waffle along the lines of them telling the agency to ensure staff attend mandatory training annually and that the agency's policies and procedures must be updated to reflect GDPR.
This for a complaint that was specifically regarding the agency's Data Protection Officer failing to adequately perform their duties (as defined in GDPR) and of their DPO failing to get actively involved in my original direct complaint to the agency (at the time the agency's DPO simply passed my complaint on the "relevant team" and did not even acknowledge receipt of my complaint).
For the various cases I've raised with ICO over the past couple of years the ICO has yet to take *any* significant action as a result of any of the complaints, even when they agree, for the majority of these cases,that GDPR/PECR has been broken.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
