A leading data protection lawyer is calling on the Information Commissioner’s Office to clear up once and for all what it deems as adequate protection against a data breach, claiming many firms are simply being kept in the dark.
Pinsent Masons data protection law specialist Marc Dautlich’s demands come in the wake of the ICO’s £250,000 fine issued against Sony for its PlayStation Network breach in April 2011 – and Sony’s intention to appeal against the ruling.
The regulator claimed the attack could have been prevented, although Sony maintains that “criminal attacks on electronic networks are a real and growing aspect of 21st century life”. It is also well documented that hackers are one-step ahead of the game.
The issue is all the more pressing because of the proposed data breach rules currently being thrashed out in Brussels. Under the draft EU Data Protection Regulation, which state firms must be fined 2% of annual worldwide turnover, Sony would have been hit by a £1bn penalty.
Dautlich said: “Organisations need to be given guidance on what technical measures can be said to constitute an appropriate standard of security for the purposes of compliance with the Data Protection Act (DPA).
“The Sony appeal could be extremely interesting as it may provide an insight into what the ICO considers to be an appropriate standard of security that organisations have to have in place, particularly as it is a case involving a company in the private sector.
“Organisations are increasingly subject to malicious attacks and clarity from the ICO is needed about just how good security needs to be to meet the requirements of the DPA.
“This is an important issue at the moment, but it will come even more into focus if all organisations are mandatorily obliged to report data breach incidents as would be the case if proposed reforms to EU data protection laws are introduced as currently drafted.
“In our experience it is also very often the case that security incidents go hand-in-hand with a finding that organisations are holding too much personal data. This case should highlight the need for firms to concentrate on their retention policies and give the issue sufficient attention.”
Sony’s fine – which has been basted as paltry by some – could be cut to £200,000 if it pays the penalty before February 13, as part of an “early payment discount” offered by the watchdog.
Sony has refused to comment on whether it will take advantage of the early payment discount and simultaneously pursue an appeal – a move which is banned under ICO rules. However, this stipulation has yet to be challenged at an Information Rights Tribunal.
Related stories
ICO defends ‘paltry’ £250k Sony fine
