Volume: 4 Issue: 12
The UK Information Commissioner's Office (ICO) is seeking criminal penalties for security breaches following the loss of personal data on up to 25 million individuals by HM Revenue & Customs, and is investigating the sale of personal financial details of individuals on the internet.
UK Information Commissioner, Richard Thomas, addressed the House of Commons Justice Committee on 4 December to press for additional powers he claims are required to crack down on data breaches. This includes prosecutions and the ability to carry out 'spot checks' on public and private sector organisations.
A spokesperson for the ICO confirmed that a variety of issues were discussed to encourage organisations to "take data protection seriously", including the possibility of a US-style reporting duty on UK organisations.
The ICO and the Metropolitan Police are investigating evidence provided by The Times newspaper on 30 November relating to more than 100 websites trafficking British bank account details, a fraudster offering to sell 30,000 British credit card numbers for less than £1 each and a British 'e-passport' for sale.
The Times reported on 3 December that it was able to download for free financial data relating to 32 people, including a High Court deputy judge. The data included private account numbers, PINs and security codes.
The investigation follows the recent loss of two computer discs containing the personal and financial details of up to 25 million individuals and 7.25 million families by HM Revenue & Customs - the biggest data security breach in British history.
The discs, which have yet to be recovered, went missing whilst being sent to the National Audit Office. The incident is now the subject of an independent review being carried out by Kieran Poynter of Pr icewater houseCoopers, taking into account the ongoing investigation being carried out by the Metropolitan Police into the breach. The initial findings are due to be reported by 14 December.
'It is ...important that the law is changed to make security breaches of this magnitude a criminal offence. At the moment I can take limited enforcement action, but making this a criminal offence would serve as a strong deterrent and would send a very strong signal that it is completely unacceptable to be cavalier with people's personal information', said Thomas in a statement following Prime Minister's questions on 21 November.