The UK's Information Commissioner's Office has said that in the event of a data breach it would be less likely to issue a monetary penalty to charities which had taken “reasonable steps” to prevent it, including staff training. This may very well also be true in America in the near future, apart from the legal requirements to train employees.
This graph illustrates the average costs of a data breach:
When asked whether the Information Commissioner would be more likely to fine organisations who could not show evidence that at least 80 per cent of its staff were trained in data protection, a spokeswoman for the ICO said it would take “full account of the facts” in any investigation.
“In deciding whether it is appropriate to impose a monetary penalty and in determining the amount of that penalty, the commissioner will take full account of the facts of the contravention and of any representations made to her,” said the ICO spokeswoman.
“That includes whether or not ‘reasonable steps’, such as staff training, were taken to prevent the contravention.”
The comment came after Civil Society News learnt that organisations in the charity sector have been briefed that the ICO would be more likely to fine an organisation in the event of a data breach if it could not show that at least 80 per cent of its staff had been given specific data protection training.
'Would make no difference for serious breaches'
Tim Turner, a data protection trainer and consultant, told Civil Society News that this has been the case for a while, even if it’s not been made public by the ICO. He said however, if the data breach in question is serious enough, the amount of trained staff “may make no difference”.
“If there is another obvious breach – like a lack of encryption, or poor or absent procedures - it may make no difference," he said. "But having trained the large bulk of staff is part of building a case that it was an unavoidable accident, where someone makes a mistake.”
Anjelica Finnegan, policy and research manager at Charity Finance Group, said the ICO has not made clear what it considers these “reasonable steps” to be, and called on the ICO to ensure that any judgement “take that charity’s individual situation into account”.
“The statement issued by the ICO makes clear that the Commissioner wants evidence that organisations are doing what they can to protect the personal data that they store. What has not been made clear is how the ICO will determine what constitutes reasonable steps, or what they consider training to be.
“It is important, that the Information Commissioner does not go into investigate a data breach with an unrealistic expectation of what they would see as sufficient training for staff.
“The ICO must ensure that any judgement on a data breach within a charity takes the charity's individual situation into account - this includes the charity's income and resources, including the number of paid staff and volunteers."
Full article: https://www.civilsociety.co.uk/news/ico-less-likely-to-issue-fines-for-data-breaches-if-organisation-s-can-evidence-staff-training.html
KnowBe4's integrated training and phishing platform allows you to send fully simulated phishing scams so you can see which users answer the emails and/or click on links in them or open infected attachments.
See it for yourself and get a live, one-on-one demo.
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: