Companies face fines of £500,000 for losing data

money flying out of a computer

The Information Commissioner's Office (ICO) has been granted new powers by the Government that could see organisations facing fines of up to 500,000 for breaching the Data Protection Act.

The ICO's new powers come into force today, and give the organisation significantly greater muscle in taking on data security breaches. Firms now risk a fine of 500,000 for losing consumer data equivalent to more than 10 per cent of most small companies' annual turnover, and a figure 100 times higher than the previous maximum penalty the ICO could impose.

The stricter powers are seen as a necessary response to the increase in the incidence of data loss due to negligence across many Government departments in recent years. They will see the ICO able to issue compulsory audit notices to any Government department found in breach of the Data Protection Act.

The severity of the fine will be determined on the basis of the precautions taken by the company or department in question, and the nature of the data security breach.

According to the ICO's guidelines on the Data Protection Act, the most serious fines will occur in cases where the data controller responsible has "seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress".

The harsher penalties were first recommended in January in an ICO report to Parliament entitled Civil Monetary Penalties Setting the Maximum Penalty.

At the time, Information Commissioner Christopher Graham warned companies that the tougher fines were a sign that the ICO was taking data security breaches more seriously than ever.

"Getting data protection right has never been more important than it is today. When things go wrong, a security breach can cause real harm and great distress to thousands of people. These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act," he said, before adding: "I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law."

Web security firm Symantec, meanwhile, has issued a set of guidelines aimed at helping businesses protect confidential data more securely and avoid being on the wrong side of a hefty fine.

Its recommendations include making sure a robust security policy is in place with strict guidelines on how and when data can leave the business premises, protecting all business hardware with the latest security software, ensuring all passwords are as strong as possible, and paying attention to non-electronic security measures such as paper-shredding too.

"The ICO is aiming to give the Data Protection Act teeth' and is clearly concerned about several high profile cases where unencrypted, confidential data residing on laptops and USB sticks has been lost and stolen," said Mike Jones, Symantec's principal product marketing manager.

"The impact of the vast majority of these cases could have been easily mitigated or avoided altogether by following security best practice such as protecting data and having clear guidelines in place for how data is used."