According to Chris McIntosh, the IT security vendor's CEO, out of 2,565 reported data breaches, only 36 have been acted on to date and only four of those have resulted in penalties.
The data, he told Infosecurity, was supplied under a Freedom of Information (FOI) Act request and found that the ICO is only using its powers in a tiny fraction, fewer than 1 in 500, or less than 1%, of all reported data breaches.
"The problem is that the ICO doesn't release all the data it could do, especially when it comes to data breaches. Furthermore, the size of the fines is laughable", he said.
According to the ViaSat CEO, he cannot fathom why the ICO does not impose severe fines on organisations that violate the provisions of the Data Protection Act (DPA) when a data breach is involved.
The bottom line, he says, is that if you do get reported for a breach, then you don't tend to get prosecuted.
McIntosh adds that his firm's FOI request showed that, between 6 April 2010 – when the ICO gained the power to fine organisations for breaches of the DPA and 22 March 2011, 2,565 likely breaches were reported to the organisation.
Yet according to the ICO's own website, only 36 have resulted in action from the ICO to date, with four attracting civil penalties. And, he notes, despite the ICO being able to issue penalties of up to £500,000, those given to date have not reached above £100,000 and total just £310,000 so far.
The solution, says McIntosh, is that the ICO needs to go after major company breaches and publicise that fact – "not all of the time, just in blatant cases."
"That way the message will get out and companies who have poor security will quickly understand what might happen."