Trying to promote better IT risk management among the country's companies, members of the U.K. Parliament recently called for jail time for individuals who breach the Data Protection Act.
In a report published earlier this month by the Justice Committee, chairman Alan Beith and others suggested that fines are not an adequate deterrent for those who violate the DPA, both cybercriminals and companies whose IT risk management programs do not fully protect stored data.
Instead, the committee recommended imposing jail time for DPA offenders. Under the Criminal Justice and Immigration Act of 2008, the committee noted, the Secretary of State has the power to impose custodial sentences of up to two years for those who violate the DPA. However, the power has not been enforced as of yet.
Many of the Justice Committee's assertions build on the testimony of Information Commissioner Christopher Graham, who is in charge of enforcing the DPA and ensuring that organizations are compliant with its requirements.
However, penalties - either financial or custodial - are not the initial action recommended by the information commissioner. Instead, the report noted, the Information Commissioner's Office offers free audits to organizations both in the private and public sectors. These audits can be conducted to identify areas where data security practices may be weak.
However, the majority of organizations - especially those in the private sector - decline the ICO's offer to conduct audits, as many see such audits as an additional regulatory burden that could cost both time and money. Graham asserted that this inability to compel audits is limiting his office's effectiveness.
Often, judges in the U.K. impose fines that are much lower than the nearly $8,000 allowed for DPA breaches, because they take into account the defendant's ability to pay the fee. As a result, the majority of data breach fines total roughly $80 per offense.
The ICO, for its part, has posited several other recommendations to help organization improve their data loss prevention practices. In addition to a number of resources on its website, the commissioner has stressed education as a major part of data protection, as informed employees may better protect company information. Companies should also promote a data security culture that reaches all ends of the organization.