With the help of network software management specialist Ipswitch, we thought it would be useful to give CIOs a bit of a lesson in law and penalties today. This was flagged as important as on this Rolling Blog but also in most of the press, when we reported the ICO had levied a financial penalty on two organisations that had in its view breached the DPA, we used the word ‘fines’ – which isn’t actually technically accurate.
In fact, what the ICO can impose is something called a civil monetary penalty under the Data Protection Act. The primary legislation to enable this was the Criminal Justice and Immigration Act (2008) that put something into the previous 1998 Act that specifically allowed, in specific circumstances, for civil monetary penalties of up to £500,000. That process didn’t actually complete until April of this year, of course.
As an ICT leader you need to know that there has been a really marked trend in the past fifteen years for Whitehall to push individual Departments to administer non-criminal civil penalties see here. They’re mandated by primary legislation (statute) and delegate the making of regulations Statutory Instruments, usually by a Secretary of State (i.e. the guy who runs a Ministry/Department), within certain parameters.
On the good side, these do not involve a criminal charge or conviction. But on the ‘bad side,’ the burden of proof, in most cases, is weaker than in the criminal court system, so in practice it’d be ‘easier’ to be busted under this.
The ‘balance of probabilities’ means all the state has to prove is that it’s ‘more likely than not’ your organisation did something ‘wrong’. This makes them cheap and easy to administer and also means civil servants assessing your possible dishonesty, the adequacy of your IT security and thus your liability for big penalties against this (lesser) civil burden of proof. So be warned, and you may find this document helpful, too.
Civil penalties are thus what you would possibly face if your organisation was found to have breached the CRC Energy Efficiency Scheme, e.g. in event of failure to purchase sufficient allowances, the penalty is calculated as the amount in tonnes of carbon dioxide equivalent by which the annual reportable emissions exceeded the number of allowances surrendered multiplied by €100 (not a typo, that is a euro denomination, as they’re set by and transposed into domestic law from the European Trading Scheme Directive (and indeed every central government Department and many local government bodies are subject to the ETS)).
You may also face what are also called fines in the press but are also civil penalties if you are a financial services organisation and come under the Financial Services Authority, the FSA. This body has the power to hand out the biggest ‘fines’ – multi-million pound – of what are technically civil penalties, to firms, assessed, again, on a non-criminal standard of proof. Please note that you don’t have to a Barclays Bank to be liable here – regulated businesses under FSMA may be very small businesses or partnerships. Although labelled in its press releases as fines, their specific nature is detailed here and to understand the process as the FSA sees it, go here.
Any such breach may be a minor one technically/technologically, but then what happens to it after it escapes is very important in terms of potential penalties. Thus FSA Principle 3 states that a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.
More specifically, Rule 3.2.6R in Senior Management Arrangements, Systems and Controls sourcebook (SYSC) requires firms to ‘take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime’.
There is no formal technical standard, but these rules are the basis for detailed informal technical guidance on best practices – meaning that adherence to these is not necessarily a ‘defence’ in the event of a data breach.
Penalties are determined on the basis of Disgorgement (of savings or gains), Discipline (of offender), Deterrence (of others). And the user or customer is on paper allowed to claim ‘exemplary [read, punitive] damages,’ too – so if someone sells his data, or the Government gives it to Iran, rather than just loses it, his brief might push for exemplary, or punitive damages that don’t directly reflect a financial loss can be awarded by courts in civil matters, where there’s been oppressive, arbitrary or unconstitutional actions by the servants of government or where a civil breach is intended to generate a profit.
That’s not all. There are also damages for distress. They are not meant to reflect financial loss but are on paper at least available for breaches of the Data Protection Act though only where they accompany a claim for other heads of damages in respect of a loss. This is sanctioned by the original European model directive, which some critics say isn’t fully carried over in to the version we have – but could be.
And indeed there are straws in the wind already. Current European data protection regime focuses on privacy but there is a current European Commission consultation process underway on new Data Protection standards that is now shifting to data. The jury (sorry) is still out on what this could mean, especially regarding international movement of data in an out of Europe to less ‘stringent’ data protection regimes.
Finally, you may also read about all your compliance risk around the PCI DSS security standard around plastic card transactions, which is you are a merchant you are told you could be affected by. In practice, small businesses that don’t store numbers or operate online are subject to a less onerous regime and card issuer timeframes.
Compliance can mean simply responding to a questionnaire as it arrives in the post. However, card issuers can bar or suspend merchant privileges, essentially barring you from doing business, so you still need to be on top of this one.
So – sorry for all the legalese, but we felt this quick tutorial could be useful. And in future, we will be careful to refer to civil penalties as such, not as fines. We hope that makes them that much easier to cope with should you be so careless with other people’s data as to warrant them…