In an effort to deter cybercrime and inspire more vigilant data protection efforts, British lawmakers are proposing amendments to earlier statutes that would impose stronger penalties for data breach offenders.
Legislators are looking to take action in the wake of several high-profile data breaches within the U.K. healthcare sector and business community. Many are concerned that the sanctions within the current regulatory framework may not providing an adequate deterrent, particular in relation to the financial gains associated with cybercriminal activity.
“The government should lose no more time in bringing in appropriate deterrent sentences to combat the unlawful trade in personal data," a report from the Information Commissioner's Office stated. "The Ministry of Justice still has not given a response to the previous administration's public consultation of two years ago. We need action, not more words. Citizens are being denied the protection they are entitled to expect from the Data Protection Act."
According to the BBC, a number of offenses may be coming from surprising sources. Financial institutions, debt collection agencies and claims management firms have often been accused of passing on sensitive information to marketing companies without customer consent. However, although judges can impose fines of greater than $8,000 per offense, the average rate is roughly $250.
To address this issue, lawmakers have gone so far as to suggest prison sentences could be warranted.
"Magistrates and judges need to be able to hand out custodial sentences when serious misuses of personal information come to light," Sir Alan Beith told the BBC.
But although that provision may ultimately prove to be too controversial, there are several more realistic ways in which the regulatory framework may be amended.
ICO officials have contended that the data auditing powers available to authorities are insufficient. Currently, Information Commissioner Christopher Graham offers free, consultative data security assessments to organizations in all sectors. The program has not been popular however, with the BBC reporting that not one insurance company has submitted to a voluntary audit.
Earlier this month, the ICO responded by calling for the power to mandate compulsory data audits, according to Computer Business Review.
"Helping the healthcare sector, local government and businesses to handle personal data are top priorities," said Graham, according to CBR. "Yet we are powerless to get in there and find out what is really going on."
Security experts around the world would be wise to monitor the progression of this legislation, as it may present an important case study on government intervention in private sector data protection efforts.
Data Security News from SimplySecurity.com by Trend Micro