“ICO needs greater powers to deal with true scale of data breaches” warns ViaSat

Breaches of the Data Protection Act reported to the Information Commissioner’s Office (ICO) are only a tiny fraction of the true number of such incidents happening across the UK. That’s according to a series of Freedom of Information requests from security and communications specialist ViaSat UK.

While 1,089 breaches were reported to the ICO between March 2014 and March 2015*, police forces across the UK reported at least 13,000 thefts** of devices that could hold sensitive data from businesses – meaning that there are thousands of potential incidents going unreported.

Since the current Data Protection Act contains no legal obligation to report breaches and has no specific security requirements included, there’s no way of knowing whether any of these thefts place the population’s myriad sensitive data at risk.

“We must remember that 13,000 thefts is the bare minimum,” asserted Chris McIntosh, CEO at ViaSat UK. “Considering that not all police forces could share this information, the real figure is likely to be many times greater. As a result, thousands of individuals’ private data could well be on borrowed time.”

McIntosh continued: “It’s clear that this discrepancy isn’t due to the ICO but the framework within which it has to operate. As it stands, the ICO simply doesn’t have the tools and powers it needs to ensure that either all threats are reported or that risk is minimised. For instance, encrypting sensitive data is now a trivial matter in terms of both cost and complexity. If encryption of personal data was made mandatory, and enforced with spot checks and suitable punishments, then the public and the ICO could have much greater confidence that none of the 13,000-plus stolen devices represent a threat.”

Breaches in business sectors

The majority of breaches reported to the ICO came from the healthcare sector, which was responsible for 431 in total. The next highest was local Government with 129. Indeed, between them these two sectors, which mostly represent public sector organisations, accounted for 51% of all reported breaches*** and the greatest number of undertakings enforced by the ICO****.

With other mainly public sector organisations – such as education and law enforcement – accounting for a significant number of reported breaches, the statistics suggest that the private sector is still greatly under-reporting the number of potential breaches it encounters.

“The ICO’s role is to encourage Best Practice in data protection,” stated McIntosh. “While it’s clear that the organisation’s financial penalties are aimed at this mission, the ICO still needs more legal and financial muscle to drive its goals forward. While compulsory reporting of every single potential breach could be difficult to enforce, inevitably it would give the ICO a clearer view of the problem and allow it to better mandate Best Practice. However, in the meantime compulsory encryption, and the power to police it, is the absolute minimum that the ICO should be granted.”

References

*The total of self-reported data breaches to the ICO between 12 March 2014 and 12 March 2015: 1,089. That figure between 1 March 2013 and 28 February 2014 was 1,274 and for the period from 8 March 2012 and 8 March 2013 the total is 1,150

The total value of monetary penalties issued by the ICO for self-reported data breaches between 12 March 2014 and 12 March 2015: £1,142,500. The corresponding statistic for the period 1 March 2013 and 28 February 2014 is £1,230,000 and for 8 March 2012 to 8 March 2013: £2,610,000

**Number of thefts reported from businesses to 18 UK police forces between 1 March 2014 and 28 February 2015 (inclusive): 67,677

Number of thefts of devices capable of holding sensitive information: 13,079

***Top five sectors for self-reported data breaches 2015-2015: Healthcare (431), Local Government (129), Education (86), General business (72) and Solicitors/Barristers (55)

****ICO undertakings 2014-2015 by sector: Local Government (24), Healthcare (14), Policing and Criminal Records (6), General business (4), Media (3), Estate Agents (2), Leisure (2), Lenders (2), Solicitors/Barristers (2), Education (1), Financial Services (1), Housing (1) and Recruitment Agencies (1)

*****Number of self-reported data breaches 2014–2015 by type: Disclosure of data (689), Security (375), Inaccurate data (6), Use of data (5), Breach of Section 55 of the Data Protection Act by an individual (4), Subject access (3), Obtaining data (3), Retention of data (3) and Excessive/Irrelevant data (1)

******Number and value of monetary penalties 2014-2015 by breach type: Security (five penalties totalling £812,500), Use of data (two penalties totalling £150,000), Disclosure of data (one penalty totalling £180,000)

Methodology

ViaSat UK contacted the ICO requesting statistics on self-reported data incidents between 12 March 2014 and 12 March 2015, broken down by type and sector.

In addition, ViaSat UK contacted each of the police forces in the UK to request statistics on thefts between 1 March 2014 and 28 February 2015 (inclusive). The company requested information on the number of thefts where computing and communications equipment capable of holding sensitive data had been stolen, and whether thefts had been reported from individuals or organisations.

Of the 34 forces that responded, not every force was able to provide the full information needed. As a result, statistics are based only on the 31 forces that could give precise and verified detail.

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts