Companies can avoid a data breach fine if they pretend they didn’t know about the problem, TechWeekEurope understands
Organisations have considered using a “loophole” to avoid data breach fines – by asking the privacy regulator, the Information Commissioner’s Office (ICO), to audit them when they already know personal data has been lost or stolen.
The UK privacy watchdog has promised not to fine any company for breaches of the Data Protection Act if they are discovered during a voluntary audit. It appears that no matter how badly a company has performed, if the poor practice comes to light during an audit, the perpetrator won’t have to pay up.
TechWeekEurope has learnt that some companies are considering keeping quiet about breaches, and deleting data trails suggesting they knew about those breaches, before going to the ICO for an audit. That way, offenders sweep the issue under the rug, so it won’t rear its ugly head at a later date and they will not receive a fine, according to a member of the legal community who wished to remain anonymous.
The source said it would not be too tricky to hide the data trail which could show the audited company knew of the breach before it asked for an audit.
If a company takes a more honest approach, comes clean and reports a specific data breach to the ICO, they are still in line for a fine. This is what happened in the case of the Brighton and Sussex University Hospitals NHS Trust, which received the biggest monetary penalty handed out by the regulator, £325,000, earlier this year when it reported a data breach to the regulator.
The Trust was incensed by ICO’s actions and launched an appeal, claiming the ICO had even suggested the case was not worthy of a fine.
The ICO believes it will be able to catch those companies who try to trick it by hiding any evidence that they knew of a data breach. The majority of fines handed out by the ICO to date have come after an organisation confessed to a specific breach.
Breaking data breach rules
But members of the security community, as well as lawyers, are deeply concerned about the loophole’s potential impact on compliance, and the negative consequences of the regulator’s promise.
“The move of the ICO to selectively remove fines based on completed audits could lead to more covert reporting of incidents,” warned Carl Blackett, ICT security architect at Norfolk County Council, who said that he was speaking from a personal point of view and that his comments did not reflect the position of his employer.
“Any change which would encourage organisations to ‘hide’ incidents without the risk of a fine being imposed following an audit could lead to an increase in this practise.”
Blackett was concerned that the vital practice of data breach notification, and its deterrent effect, could be undermined as a result of the loophole. “Without this public notification, several bodies could lose valuable advice to prevent data loss.”
He said data breach notification should not solely be about fines, it should point out areas of bad practice that need to be addressed and rectified to prevent re-occurrence both within the offending organisation and amongst others.
“An organisation that the ICO targets for a compulsory assessment or a consensual audit because they are perceived to be a data handling or privacy risk is exposed to a less serious regulatory outcome (no fine) than the one that the ICO aren’t targeting, but that “comes clean” after a problem is discovered,” added Stewart Room, data protection lawyer and partner in Field Fisher Waterhouse’s Privacy and Information Law Group.
“The one who is most transparent is the only one who is subject to fine… it seems to me that there is a genuine issue here.”
Currently, the ICO can only force audits on central government departments, but is hoping to be able to do the same with local councils and NHS bodies. It is not pushing for the same with private businesses.
However, the regulator can and does approach all kinds of organisations to recommend they take part in an audit, especially if the ICO has concerns about their practices.
Them’s fighting words
The potential for abusing the loophole came to light during a Westminster eForum event last week, when information commissioner Christopher Graham and Room took each other to task on the topic.
Graham, who was keen to point out a Freedom of Information (FOI) request that showed Room’s practice was paid £168,259.59 by the Brighton and Sussex University Hospitals NHS Trust in its unsuccessful appeal of the fine, said the ICO would come down hard on any companies abusing the audit process to avoid a fine.
“If we discover duplicity, that there was a breach that you knew about and didn’t report then you’re in deep trouble. There are no games to be played,” Graham told TechWeekEurope. He suggested Room only brought up the issues with the process as he “was doing what lawyers do, and he is going to lose”.
A number of notable organisations have been the subject of an ICO audit, including Google, which let the regulator in after the Wi-Spy saga erupted in 2010, when the tech giant slurped up personal information over unprotected Wi-Fi networks when its Street View cars were collecting image data. A second consensual audit took place in September 2012.
A full list of ICO audits can be found here.
In the Brighton case, the NHS Trust gave up the ghost on its appeal in June, when its fine was reduced to £260,000, and it paid up.
Other bodies remain unhappy at how they have been treated by the ICO, however, and are appealing fines. TechWeekEurope understands the Scottish Borders Council, which was told to pay out £250,000 after an outsourcer left sensitive files in a recycle bank, is appealing.
A separate, as yet unnamed NHS body, is also set for a tribunal next month to fight its monetary penalty. Room will be representing that organisation.
How well do you know Internet security? Try our quiz and find out!