Legal threat looms over data careless UK plc

The Data Protection Act (DPA), which came into force in March this year, increases companies' liability for the loss or destruction of personal data. If a company has exposed personal details over the internet or been subjected to a security breach, such as a hack, the owners of that data may file for a criminal charge.

Speaking to silicon.com, Robert Bond, IT lawyer and partner at city law firm Hobson Audley, said many companies are not aware how serious the DPA's implications are.

He said: "If a company becomes a victim of a security attack, it will be liable for damages or compensation under the DPA which can amount to large sums and tarnish the company's reputation. It is vital that data security is good enough to prevent an attack or an accidental exposure. "

Nick Lockett, a barrister specialising in internet law and data protection at legal firm Sidley and Austin, warned compensation cases will increase.

He said: "Companies must understand the importance of setting up decent protection measures such as firewalls and encryption technology. We will see more and more Powergen-style security blunders emerging, and those cases will be costly for businesses," he said.

Anthony Riem, partner at data protection specialists Philippsohn Crawfords Berwald, said: "Many companies do not see security as their top priority. IT directors should play a more active role in ensuring the company's security policy has no loopholes."

This was a view shared by Ian Brown, policy adviser at campaign group Privacy International. He said: "Security has been largely ignored by both large and small UK companies because it is seen as a technical issue. This will change once a high profile attack happens, which can only be a matter of time."