After the landmark first cases in November where monetary penalties were issued to Hertfordshire County Council for ‘two serious incidents’ regarding accidentally sent faxes, and to employment services company A4e for the loss of an unencrypted laptop, two more councils have also been fined for the loss of unencrypted laptops.
When talking to customers I often find they deal with legislation and compliance in silos e.g. PCI DSS. The reality is there are common security elements across almost all pieces of legislation and compliance.
A simple way of dealing with the above issue is to ask “how important is the data”. E.g. because of PCI DSS, card holder is important and with the Data Protection Act so is customer data, so why not apply the same levels of protection and controls to both?