Laws need to be enforced

Seen from this side of the Atlantic, the picture painted by Symantec’s global IT risk survey is a gloomy one. According to the report, twice as many European companies expect a major data loss every year than do their counterparts in the US; only half as many rate their firm’s security training as effective; and 20 per cent fewer think data protection is a critical business issue.

Individually, the figures are interesting. Taken together they show a different corporate culture.

In the first instance, the US has more laws. There are corporate governance requirements – such as the infamous Sarbanes-Oxley. And there are also more regulations specifically targeting security issues – such as California’s breach legislation, now taken up by two-thirds of other states – which requires companies to notify the public about IT security infringements.

But what really catches firms’ attention is that the laws are stringently enforced.

In the UK, it is a different story. We have fewer regulations, less effectively applied. The Data Protection Act (DPA), for example, yielded only 15 successful prosecutions last year, half of which resulted in fines of less than £750. In such a context it is not surprising that data protection compliance is lower on UK agendas.

This is not the first time Computing has called for the Information Commissioner’s Office (ICO) to be given more teeth. The figures on spam – another major ICO responsibility – are equally woeful. Despite hundreds of complaints every year, the ICO has yet to bring a single case to trial.

Last week Nationwide was fined just under £1m for inadequate information security procedures following the theft of an employee laptop. That the case was brought by the Financial Services Authority, rather than the Information Commissioner, underscores the ICO’s secondary standing.

Computing does not want more law. But it is in the interests of business that those we have are rigorously applied. The ICO needs more power to do its job.