| ITIL 2.7.3.4 Negligent Breach |
|---|
| General Data Protection Directive: | | Improvements to the General Data Protection Directive in 2016 are expected to see enforcement by 2017. A new kind of penalty has been introduced that is called Negligence Breach or Unjust Enrichment. The fine is set at five percent of world-wide annual revenue. | | Cyber insurance policies have been formally revised to ensure that a company cannot insure themselves against breaking the law. It is unlawful not to invest in adequate security measures and insurance will not pay out in the event of a breach that is unlawful. |
| Negligence Breach: | | Where a company has profiteered by saving money through not implementing adequate security measures, then they will be fined. | | The first example is where a company had a computer stolen that contained business data that included information about people. | | The settlement included paying each person whose data was lost between ten and thirty Euros based on the number of years of data that was lost | | The five percent fine was a lot more than the cost of the stolen computer, but a lot less than the mandatory compensation to each person involved. |
| Unjust Enrichment: | | Some companies are trying to save money by not migrating their local "at risk" data to the cloud. The Information Commissioner Office is making it very clear that not spending on security is unjust and has a very high penalty. Where a company has saved a few pounds by holding personal business data on local computers that may be hacked and may be stolen, then this kind of enrichment will be stopped. Security is not an option. Whistle blowers will be rewarded for simply sending a message to the UK ICO web site. |
| Data Protection Officer: | | Every company or person who deals with more than 5000 other people MUST appoint or contract a Data Protection Officer. The Data Protection Officer MUST have adequate training, qualifications (CISSP), experience and be a fit person to implement all data protection measures that they think are necessary. The Data Protection Officer cannot be restricted by funding or other resources to prevent them doing a professional job. The Data Protection Officer cannot be fired for stating what data protection measures must be implemented and what methods of working must be stopped. | | Where a company has contracted their Application Service Provider (ASP) as their data controller, then the data controller is contracted to provide the skilled role of Data Protection Officer. The ASP is limited to control only the data under their control and advise the company that they are responsible and liable for all other data that may become the subject of a data breach or negligence breach. | | An annual risk assessment must be conducted and procedures must be included to notify the ICO in the event of any data breach. Procedures must include the notification of each person involved - the ICO will dictate the level of compensation that may have to be paid to each person. Risk assessment must include the purpose that personal data is collected and facilitate evidence that the person provided consent and has the ability to withdraw that consent. People have the right to view their data, to demand changes where errors are found and have the right to demand erasure. This includes data stored in email systems, diaries, local spread sheets and paper files. |
|
|