Whilst it remains to be seen whether the ICO will enforce the new rules on a fair and equitable basis – or treat it as revenue generation exercise for the government – research carried out claims to show that companies are both unaware of the penalty changes and are failing to cover themselves on the security front.
The study – from Cyber-Ark Software – found that 88% of customers' data on handhelds is not adequately protected, despite the fact that the ICO issued further guidance on the Data Protection Act back in January.
Researchers found that, in a poll of 500 city workers in London, the majority have not been informed of the new penalties, or the rules of the Act. 65% of respondents noted that nothing had been said to them about the regulations.
Interestingly, 93% of city workers revealed that, if they were personally held liable for protecting customers' data, they would certainly be more careful with how they handle data.
71% of respondents claimed, meanwhile, now that they have been made aware of the financial implications to their employer they will be more careful with how they handle data in the future.
Cyber-Ark says that it may not be surprising that 64% admit to carrying customer data with them on mobile devices still, with the ICO waiting to claim his first scalp.
What is scandalous, the IT security firm adds, is that 38% protect their data with 'nothing', and only 50% use a password. Plus just 12% encrypt their data to protect it from falling into the wrong hands.
Adam Bosnian, Cyber-Ark's vice president of products and strategy, said that people increasingly understand the need to protect their data, but for some reason it's not always top of the IT manager's list, despite the fact it should be.
"We have been blown away by these findings especially to discover that, with a £500 000 fine hanging over directors from the 6th April, workers are walking about with unprotected customer records", he said.
"Education is one piece of the puzzle in making sure that those people who do have access to privileged data are responsible with it and recognise the vital role they play in an organisation's compliance obligations", he added.
According to Bosnian, organisations also need to control privileged users and accounts to protect sensitive information, such as customer data, from navigating its way into the wrong hands.
By having the tools in place that manages who has access to what data, and tools in place to keep track of what they do with it, he explained, organisations can regain control.
This is, he says, a pretty real need not only to respect the information but to avoid the hefty fines that will soon come into force.
Over at fellow IT security firm Symantec, the company is urging business to bolster their defences in order to avoid the new fines.
Mike Jones, Symantec's principal product marketing manager, said that the ICO is aiming to give the Act "teeth" and is clearly concerned about several high-profile cases where unencrypted, confidential data residing on laptops and USB sticks has been lost and stolen.
"The impact of the vast majority of these cases could have been easily mitigated or avoided altogether by following security best practice such as protecting data and having clear guidelines in place for how data is used", he said.,
Credant Technologies, meanwhile, says that the new ICO penalties have kicked off amidst a raft of public sector data losses and censure actions.
The IT security vendor notes that, in a fortnight that has seen two councils leak data and the ICO slamming further three councils for failing to protect their data – you could be forgiven for thinking that the public sector is leaking data like a sieve.
But, says the firm, this is all a sign that the ICO is ramping up its investigations and rulings, in preparation for this week's introduction of a 100-fold increase in the maximum penalty for a data breach.
According to Sean Glynn, product manager with the data security specialist, with penalties of up to half a million pounds, it's clear that the ICO's office is girding its loins for what could be a spring and summer of discontent amongst IT managers, as their data insecurities are made public.
"As last week's data breach involving the loss of data on 9000 teenagers from Barnet Council being stolen from the home of an employee shows, having a good set of security policies in place does not help if you do not use technology to firmly enforce those policies", he said.
"And as the case of Stoke-on-Trent's council social work department apparently losing an unencrypted USB stick in the mud also shows, security policies are for naught if the staff don't stick to the council's policies", he added.
Glynn says that, if you look closely at the three effective censures that the ICO's office made last week against three councils – Highland, St. Albans and Warwickshire – you'll see a common thread running through them: a lack of effective implementation of security policies.
In the case of Highland Council, where personal data on one family was released to another, you can see that staff at the sharp end let the side down. And in the St. Albans incident, where a laptop was stolen last summer, it was a similar lack of engagement by the staff concerned, who left the notebook on a desk without securing it, he explained.
The final censure against Warwickshire county council, says Glynn, was the result of two laptops and a USB stick in two unconnected incidents, that were stolen.
Glyn says the common thread to all five – or six incidents, depending on your point of view – is that a conventional IT security approach has clearly failed, with security policy enforcement proving to be ineffectual in all cases.
But, he went on to say, if all the relevant data in the organisations had been encrypted – both at rest and on the move – then there is every strong chance that, whilst the hardware would have gone walkabout in most of the cases, the integrity of the data would have remained intact, which is what the ICO is now taking a keen interest in.
This isn't to say that enforcement of security policies and good program code security practices are not needed, but that encryption of private data – from whatever source – acts as an extra safety net for when things go wrong.
"With the new penalties kicking in this week onwards for breaches of the Data Protection Act in the UK and others being introduced recently in the US such as the Massachusetts State Data Breach Law – IT managers need to understand that, without a multi-layered approach to security – underpinned by effective encryption technologies – data leaks like those of the last week will go on taking place", he said.
And this is an issue that doesn't just affect public sector IT managers alone. Their counterparts in the private sector also need to wake up and smell the coffee as well", he added.
"It's now crystal clear that, if IT managers don't get their act together in short order, there could be some hefty fines and even more embarrassing public enforcement notices being dished out."