The UK’s Information Commissioner, Elizabeth Denham, recently recommended to the House of Commons at a Parliamentary that company directors should be held responsible in the aftermath of a data breach.
Denham wants this provision to be included in the draft of the Digital Economy Bill.
At the moment, under current laws company directors have no personal liability or accountability for breaches of data protection law committed by their companies.
Denham said that the Information Commissioner’s Office (ICO) has issued a total of £4 million in fines in the last year, and only collected a small percentage of that sum. T
Following fines companies would shut down and re-open under a new corporate identity and thus, avoid the fine.
“It’s difficult to see many company directors accepting personal liability for data breaches, simply because of the sophistication of today’s attackers and the fact that no defence can be considered completely watertight,” said Matthew Ravden, VP at cyber security firm, Balabit.
>See also: 7 key lessons from TalkTalk’s data breach
“Nevertheless, company leaders must act fast to ensure they have the right technologies in place not only to satisfy auditors, but to prevent breaches from happening in the first place.”
Indeed, it could be argued this proposal by Denham is unfair given the apparent inevitability of cyber attacks and subsequent data breaches.
A recent survey conducted by Iron Mountain, looking at local authorities, found that 67% of senior managers believe a significant data breach is inevitable because of poor information management.
Similarly, 52% of records and information managers at local authorities feel that security breaches are “accidents waiting to happen” as a consequence of time pressure and resource constraints.
The safety of confidential and highly sensitive information – from employee records and legal files through to school admissions and social care records – could be at risk.
For many senior managers (71%), budget cuts present the main threat to the quality of information management and security.
A third of senior managers and information management professionals agreed that excessive demands from central government (37%), a lack of staff (36%), time constraints (32%) and internal bureaucracy (31%) present the main barriers to effective information management.
These barriers are making it difficult for those responsible for managing information to protect and, when the time is right, securely dispose of the information entrusted to them.
Over half (57%) of records and information managers say they have only seconds to handle documents – including invoices, legal and HR files – and approaching two thirds (61%) admit there aren’t enough staff to cope with the volume of information moving in and out of their organisation.
>See also: How to mitigate data breach damage
According to the research, half of records and information managers admit that the number of incidents involving poor information management has increased over the past 12 months.
This mismanagement includes keeping records beyond their required retention period, sending information to the wrong person and taking confidential or sensitive information out of the workplace.
29% of record managers said that up to a fifth of their information has been inadequately managed over the past 12 months due to organisational pressure and change.
This report does not bode well for local authority directors if Denham’s proposal is included in the draft bill.
It begs the question surrounding the quality of information management in enterprise for example. Is it as confused and sporadic at this level?
If so, not only could the organisation be stung with a massive fine post-GDPR, but the company director could be held directly accountable, although what punishment this would entail remains unclear. It certainly won’t be good.
“It’s not enough to have clear information security and management policies and processes in place,” said Phil Greenwood at Iron Mountain.
“Communication is key to ensure widespread adoption and encourage the implementation of information management best practice across all departments. Policy and processes need to reflect changes in regulations and internal processes, with these updates communicated clearly to all staff.”