ICO reprimands for data breaches will not keep cyber-criminals out or encourage companies to ensure robust cyber-defences
January 2024 by The Information Commissioner’s Office (ICO)
The Information Commissioner’s Office (ICO) has been high profile in its efforts to ensure companies are secure and continuing to ensure their ability to keep data safe. Regulations, such as GDPR, have been introduced with much fanfare to further protect data and ensure companies have the right levels of security in place. Such regulations have come with the promise of severe penalties for those who fail to adhere.
In light of this and the increased scrutiny of the mainstream press (most major breaches are now the subject of headline news), one might expect the ICO to be comprehensive in their rolling out of fines and prosecutions to those that have failed to protect data, particularly those organisations who hold sensitive information.
However, a quick glance at the ICO’s website shows that there have been very few monetary penalties handed out for serious data breaches. Instead, these cases are being met by reprimands and those companies that are sending unsolicited SMS, texts and calls are being dealt with most severely, with hefty fines.
The list of those reprimanded are on the whole, high profile, large organisations. There are obviously reputational consequences for high-profile breaches, but without regulation being strongly enforced, there is little incentive for them to put real effort into securing systems. However, the threat from cybercriminals is only going to increase over the coming months and without organisations doing more to protect themselves and the data they hold, there is going to be a large number of successful breaches in 2024.
Companies need to stop treating regulations as a tick-box exercise and realise that the point of them is to protect data. Equally, the ICO also needs to up its efforts in implementing ‘proper’ sanctions against those organisations that are failing customers and partners, as AJ Thompson, CCO at Northdoor plc explains.
“The high-profile introduction of GDPR in 2018 was meant to prove that the authorities were taking the threat from cyber-criminals and the mis-use of data seriously. There were promises of major consequences for every business that failed to adhere to the regulation, but as the years have gone by we have seen that those organisations suffering data breaches have been, frankly, wrapped on the knuckles, with no further consequences.
“In contrast the ICO has been handing out quite large fines to those companies that have been sending unsolicited SMS, texts and calls. Although, undoubtedly, this is an annoying and fairly serious misuse of people’s details, it cannot come close to the exposure of sensitive data.
“A company called ‘House Hold Appliances’, for example was fined £55k for making marketing calls, and yet we see the Police Services Northern Ireland given a rap on the knuckles for preventing sensitive personal data being leaked – a particularly dangerous example considering the political and potentially life-threatening consequences of such a data breach.
“Other examples of where companies have been reprimanded, rather than more severely punished, include Bank of Ireland, Finham Park Multi-Academy Trust. NHS Fife and many more. There is an argument that fining public sector organisations thousands of pounds is not going to do anyone any good, in which case other, appropriate, but effective measures need to be put in place.
“The regularity of high-profile data breaches also points to the fact that many are taking regulation at face value. By treating regulation like tick-box exercise and forgetting the reasons behind the regulation, they are giving the advantage to the cyber-criminal.
Adherence to regulation does not equal security. Cyber-criminals are certainly not resting on their laurels, but rather, are continually looking for new, sophisticated methods to gain access to data. As a result, organisations must be continually looking at their defences and what the latest threats look like, to give themselves the best chance of keeping the cyber-criminal out.
“More serious consequences from regulators for those companies that have failed to adhere to regulation, is one step towards taking the fight back to cyber-criminals. Equally, organisations must take more responsibility themselves for ensuring that regulation is not treated as a tick-box exercise, but rather a starting point for their cyber-defences,” concluded Thompson.