The Data Protection Commissioner (DPC) has no power to take action against Powergen over the security breach that left 7,000 customer debit card details unsecured on its web server in July.
By Sarah Left
Published: 13 October 2000 16:00 GMT
Powergen breached the principles of the Data Protection Act 1998 when it left the information in an insecure area of the web site, according to assistant data protection commissioner, Phil Jones.
But he explained that the DPC has no power to take punitive action when data protection principles are breached, and the best it can do is issue formal enforcement notices.
However, no such notice will be issued to Powergen, as the DPC says there is no conclusive evidence that there are any current security issues with the company's site and it is not interested in issues that are now past.
Phil Jones, assistant commissioner at the DPC, explained: "Parliament didn't give us enforcement powers. We don't have a 'rapping over the knuckles' power. Only a tiny minority of breaches of principle end up in enforcement notices."
Jones added that enforcement notices were difficult to obtain. He said: "The process is complex and time-consuming, and the enforcement notices can be appealed. Virtually everyone we issue one against appeals."
IT worker John Chamberlain informed silicon.com of the security breach in July after finding card details and personal information belonging to other Powergen customers when he went to pay his own bill online.
Powergen initially accused Chamberlain of hacking its website, although the company later retracted that claim admitting the information had been outside the security gate due to a technical error.
Chamberlain expressed his disappointment with the DPC's decision. He told silicon.com: "They've met with Powergen and accepted what it said without consulting me. I was not contacted by the DPC during the investigation."
The leaked DPC document also states that the threat of adverse publicity in the press is more effective than any action it might take in preventing companies making security errors.
Chamberlain added: "It sounds to me like they're saying the press will do a better job than the DPC as a deterrent. That means only large companies will be affected. But what about smaller companies that the press aren't interested in?"
Results Orientated Action Seek to maximise return on activity, understanding commercial and financial principles. Respects confidentiality and data ...
Results Orientated Action Seek to maximise return on activity, understanding commercial and financial principles. Respects confidentiality and data ...
Agenda and Minutes) Coordinate the production of all relevant reports and statistical analysis required for bi-annual Management Review meetings ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Bob Tarzey Why you must rein in your power users When they do damage, it can be catastrophic to your business
Jon Collins Is losing a mobile device really such a big deal? How to minimise the damage to your business