Firms face £500,000 fine for data loss

14 Jan 2010

Organisations could be fined up to £500,000 for losing sensitive data under new penalties expected to come in force in April, the Information Commissioner's Office has said.

Investigations into data loss will examine: the effect of the leak; whether it was accidental; and what the financial position of the organisation is, in order to help determine the size of a fine.

Companies that break the Data Protection Act are already subject to the penalties approved by justice secretary Jack Straw.

Information Commissioner Christopher Graham said the penalties were designed to be a deterrent.

"When things go wrong, a security breach can cause real harm and great distress to thousands of people. I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law," he said.

Jamie Cowper, Director of European Marketing at data encryption firm PGP Corporation, said: "The cost of data breaches is already staggeringly high for UK businesses; last year the average breach cost £1.7 million pounds, or £60 for each identity lost. If the ICO's bite turns out to be as big as its bark, this cost could exceed £2 million; a huge expense at a time when businesses and public sector bodies can ill afford to waste money.

"Organisations that want to avoid these massive financial penalties must look to implement watertight data protection strategies, employing proven technologies."