The Data Protection Commissioner (DPC) has no power to take action against Powergen over the security breach that left 7,000 customer debit card details unsecured on its web server in July.
By Sarah Left
Published: 13 October 2000 16:00 GMT
Powergen breached the principles of the Data Protection Act 1998 when it left the information in an insecure area of the web site, according to assistant data protection commissioner, Phil Jones.
But he explained that the DPC has no power to take punitive action when data protection principles are breached, and the best it can do is issue formal enforcement notices.
However, no such notice will be issued to Powergen, as the DPC says there is no conclusive evidence that there are any current security issues with the company's site and it is not interested in issues that are now past.
Phil Jones, assistant commissioner at the DPC, explained: "Parliament didn't give us enforcement powers. We don't have a 'rapping over the knuckles' power. Only a tiny minority of breaches of principle end up in enforcement notices."
Jones added that enforcement notices were difficult to obtain. He said: "The process is complex and time-consuming, and the enforcement notices can be appealed. Virtually everyone we issue one against appeals."
IT worker John Chamberlain informed silicon.com of the security breach in July after finding card details and personal information belonging to other Powergen customers when he went to pay his own bill online.
Powergen initially accused Chamberlain of hacking its website, although the company later retracted that claim admitting the information had been outside the security gate due to a technical error.
Chamberlain expressed his disappointment with the DPC's decision. He told silicon.com: "They've met with Powergen and accepted what it said without consulting me. I was not contacted by the DPC during the investigation."
The leaked DPC document also states that the threat of adverse publicity in the press is more effective than any action it might take in preventing companies making security errors.
Chamberlain added: "It sounds to me like they're saying the press will do a better job than the DPC as a deterrent. That means only large companies will be affected. But what about smaller companies that the press aren't interested in?"
JOB TITLE: UK Sales Executive-Disk Encryption & Data Protection Sales SELLING: Disk Encryption and Data Protection SELLING TO: Enterprise and Mid ...
EMEA Technical Support EngineerPKI Hardware Security Data Protection 2nd/3rd line Primary product focus will be Hardware Security Modules (HSM) and ...
My client is doing a review of the current SAP system and need a consultant who can check the Data protection compliance they have in place. I am ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead
Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy