ICO Struggles to Issue Data Breach Penalties
ICO Struggles to Issue Data Breach Penalties

The Information Commissioner’s Office (ICO) recently released its Annual Report 2014/15 which reflects the organization’s activities for the year, including those related to data privacy. In 2014/15 the ICO received 14,268 data protection concerns with 46% of concerns relating to the disclosure of data. This number has no direct correlation to the actual number of people affected by data breaches within the year, but the report nonetheless gives insight into areas of public concern.

During the year, the ICO investigated 1,707 data breaches, issuing £692,500 in civil monetary penalties. Overall, penalties issued to companies and organizations that leaked customer data was reduced in 2014/2015, from £2 million in 2013/14 to £1.3 million last year. This is not because there were fewer data breaches but that the ICO has become more picky in choosing which cases to pursue, knowing many will go to appeals. It would seem, based on these figures, that the ICO has not been able to hold organizations accountable for data breaches, from a dollars perspective, in the same way that class action lawsuits have been.

It is interesting to compare these figures to those in the US where organizations face millions in fines and lawsuits, aside from other costs, due to the many overlapping regulators at the National and State level. The upcoming EU General Data Protection Regulation is set to drastically change data protection law for International organizations, particularly when it comes to penalties.

In order to help you navigate the choppy regulatory landscape surrounding these changes, we helped create this series of short videos and whitepapers. We also recently released a whitepaperGlobal Data Breach Notification Laws: Meeting Requirements and Mitigating Risks with Endpoint Security, intended to help security teams understand the basic requirements of data breach notification rules worldwide, including the specific expectations pertaining to mobile incidents, in order to develop effective risk management and compliance strategies.

ABOUT THE AUTHOR

Arieanna Schweber

Arieanna Schweber has been a part of the Absolute writing team since 2007. Arieanna was Canada’s first female professional blogger and has been professionally blogging since 2006 and has spoken at leading blogging conferences including BlogHer and Northern Voice. Arieanna has a joint degree in Business and Communications from Simon Fraser University and continues to build communities for Vancouver-based clients.