Blog article
See all stories »


Despite Information Commissioner doling out his first-ever fines for Data Protection Act breaches, the UK consumer wants tougher penalties for those deemed to be wrong-doers.

Isn’t it great when you finally hear something completely unprovoked – and isn’t it also sweet music to your ears?

It appears the ever-sharp UK consumer has obviously been reading my blogs, and I find it wonderfully refreshing that it’s the customer looking to lead the revolution!

Of course, it shouldn’t have to be like this; having to campaign for those handling our data to act should never have been on the menu – but can we really blame them for their slow adoption to consciously securing our data if there were no repercussions, or incentives for that matter?

Last April, the ICO was given new powers to issues fines – a move that for the consumer has been long overdue!

As many as 4-in-5 people in a recent OnePoll survey commissioned by LogRhythm felt UK companies should be subjected to a US-style breach disclosure law.

Whilst prospective fines of up to £500,000 ought to get everyone focusing on new data priorities, what really ought to shock UK PLC into action is the tough stance the consumer has taken. Evidently the value to personal data has been recognised – and once it has been lost, no form of compensation can really make up for it.

The figures reflect this:  66% stated they would try to avoid future interactions with a data handler had their details become compromised; while 17% were adamant they definitely would not have anything more to do with the guilty party.

Ross Brewer, vice president and managing director of international markets at LogRhythm, gave his thoughts on the findings: “Our research suggests there is solid public support for such moves,” he said.

“Data breaches are still rife in the UK, and this seems to have led to a change in the public mood. There is now a common desire to see definite taken to force organisations to clean up their act.”

Not only could companies be punished for data loss incidents – they could lose customers too, who are now taking an active interest in the security of their personal details.

I find myself encouraged by this news; however critics have suggested the penalties to not amount to much. In terms of the scale of some of these organisations – I would have to agree.

However, let’s not be too critical. After all, this goes a long way to redressing the balance of the power organisations held over consumers. I like to think of it as a start – and, after all, Rome wasn’t built in a day!

The fruits of the new powers invested in the ICO are finally starting to blossom – and this news may finally force UK PLC kicking and screaming into compliance, as currently approximately half believe neither public nor private sector organisations have sufficient security measure in place to adequately safeguard sensitive data.

With the increasingly aware UK consumer keeping a watchful eye, this lack of public confidence is something that businesses and government need to address fast, and Brewer summed up the findings nicely.  He said: “The message to organisations couldn’t be clearer: those taking a lax approach to data security won’t just lose face, they will also lose customers.”

The UK consumers have spoken – over to UK PLC. It’s your move now!


Comments: (1)

A Finextra member
A Finextra member 12 January, 2011, 12:28Be the first to give this comment the thumbs up 0 likes

Nice article! Although, I have my concerns that the Information Commissioner is too conservative when doling out fines. For example, would the Commissioner consider fining the Lloyds Banking Group, the Royal Bank of Scotland Group, or Barclays? As a prerequisite, does the Information Commissioner believe these examples highlight a problem? I feel these questions are difficult to answer without banking industry guidelines that define a minimal standard, and offer advice on best practices. The Information Commissioner can then issue fines, following data breaches, when the baseline has not been satisfied.

I accept that defining such a standard is difficult. Developing a secure policy for a single institute is hard, but these standards need to consider every institute; in particular, consumers bank with multiple banks, rather than individual banks and two secure frameworks may be weaker when they are both used by a single consumer (e.g., assume both banks require a PIN and a password, one bank requires the full PIN and parts of the password, whereas the other bank require the full password and parts of the PIN, when a consumer shares PINs/passwords between systems the framework is weaker). But, without such standards, how will the Commissioner decide whether to fine the Lloyds Banking Group, the Royal Bank of Scotland Group, or Barclays? In my opinion, the answer to the question boils down to: could the attacks highlighted have been prevented? And, in my opinion, yes they could; in particular, not all banks were vulnerable to this type of attack.

Blog group founder

Member since




More from member

This post is from a series of posts in the group:

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

See all

Now hiring