ICO issues first data breach civil penalties

Industry onlookers hope double swoop will act as wake-up call to security laggards

The Information Commissioner’s Office (ICO) has issued its first two monetary penalties to organisations involved in serious data breach blunders.

The data protection watchdog this morning slapped Hertfordshire County Council with a £100,000 fine for faxing personal information, some of which related to child abuse, to the wrong recipients.

Simultaneously, the ICO has stung employment services firm A4e for £60,000 for the loss of an unencrypted laptop containing personal information relating to 24,000 people.

Information Commissioner, Christopher Graham, said the double swoop would show that the ICO meant business.

“These first monetary penalties send a strong message to all organisations handling personal information,” he said. “Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds.”

Mark Fullbrook, director for UK and Ireland at security vendor Cyber-Ark, said: “Today’s news should hopefully serve as a wake-up call for all those that have ignored this ticking time bomb for so long. The products are out there, so organisations need to get wise or risk the wrath of an ICO eager to flex its muscles.”