I’ve read two different stories this morning which, whilst based upon the same theme of data theft, offer up two contrasting views of the problem and how it is dealt with by the parties involved.
The first article I read was about three credit card issuers in South Korea. Between them they had experienced the data theft of up to 104 million cards.
The information was stolen over a 15 month period, beginning in October 2012 and ending in December 2013. The individual responsible, a temporary employee at the Korea Credit Bureau, has been arrested and is currently, one presumes, practicing his soap picking up technique.
The three credit card companies – KB Financial Group, Lotte Group and NongHyup Financial Group – have all received a temporary ban on issuing new cards until May 16, a move that is likely to have serious financial consequences given the extremely high use of plastic credit in South Korea.
Each of the three companies will have to pay a fine in excess of five and a half thousand dollars. Four senior executives have resigned and a further three have tendered their resignations.
The country’s Financial Services Commission is still considering additional punishments for executives at the three firms and may look to lengthen card-issuing sanctions in any future cases.
The feeling amongst lawmakers in South Korea is so strong about this loss of personal data that there have even been strong calls for the financial regulator to fall on his own sword too.
In complete contrast, however, SC Magazine wrote about how very different things are closer to home.
It said how the UK’s Information Commissioner, Christopher Graham, has told MPs that the deterrents available in Britain do not match the crime. The piece notes that a civil breach of the Data Protection Act carries a maximum fine of half a million pounds whilst a criminal act leaves the perp open to an unlimited fine. In practice, however, the fines actually dished out are significantly lower (a few thousand pounds appears to be the norm).
Speaking to the House of Commons’ Home Affairs Select Committee Graham said that,
“I just think unless people feel ‘I could go to jail for this’, we are not going to get very much further. I could investigate and we will investigate… but I have to face the fact that it’s possible [convicted individuals or companies] would simply be looking at fines, and fairly modest fines.”
The Commissioner went on to say that he would like to see ministers enforce Section 55 of the Data Protection Act which would allow courts to hand out terms of probation or even jail time for the criminal disclosure or acquirement of personal information.
Such a view appears to have curried favour from our very own Brian Honan who said,
“I would agree with the ICO. People’s personal data is not a commodity that can be bought and sold. It is their personal data which has been entrusted to third parties who should ensure it is protected properly. Companies should not see these data as a resource that they can use without the knowledge or permission on the people involved.
The remedy is for more enforcement of the law so that a message is sent to companies that this behaviour is not acceptable. This should be also reinforced by education and awareness of companies’ obligations under the DPA.”
(Fortunately for Brian, he wears the right coloured hat and won’t ever find himself on the wrong end of a DPA ruling – which is just as well, considering his recent comments to InfoSecurityMag in which he said “I don’t think I’d like prison food… and this body would just be ravaged in prison.”)
Concluding which country has the right approach to dealing with data theft is, of course, a matter of personal opinion.
My view is that we are far too lenient in this country and that the current deterrents are nowhere near enough to be a deterrent at all. The threat of prison would certainly be a step in the right direction in terms of focusing minds and fostering a stronger security posture.
Even more so, I would like to see executives of UK firms follow their South Korean counterparts by resigning when their organisations screw up.
Accountability is good and I would welcome its return in the UK.
What do you believe to be an appropriate deterrent/punishment for data theft?