What isn’t clear from these figures alone is the underlying cause. Are companies and organizations becoming less efficient at protecting data, or is the industry at large becoming more efficient at reporting those breaches – or is the ICO simply becoming more aggressive in its attitude towards loss of personal information?
One thing is clear according to Syscap, an independent IT finance provider: while the majority of fines have been against public bodies, the ICO is also increasingly taking action against private organizations that lose private data. “It’s clear that the ICO is starting to take a much more proactive stance in penalizing data lapses,” commented Philip White, Syscap’s chief executive, “so this is something that business owners need to take very seriously.” He believes that one of the problems is the recession. “Budgets have been stretched... so upgrading old or out-of-date IT equipment has been put on the backburner for some time now. This has left some old or redundant systems open to data lapses.”
Ross Brewer, vice president and managing director for international markets at LogRhythm, welcomes the ICO figures. “It is about time the ICO took a much tougher approach when dealing with data breaches, given the somewhat lackluster approach of previous years,” he said. “In today’s information age, nominal fines and letter-writing initiatives to warn about data handling simply do not cut it – hence the almost constant stream of data incidents still hitting headlines.” He pointed to LogRhythm’s own research from the end of last year showing that 64% of UK consumers don’t even know what the ICO is, and only a third of the remaining 36% think he is doing a good job.
Brewer hopes that a more aggressive ICO will help to change things. “The ICO seems to be taking data security more seriously and organizations will have no choice but to take heed if they wish to avoid the financial and reputational repercussions of a breach,” he added.
In introducing the ICO annual report last month, Information Commissioner Christopher Graham was remarkably upbeat, with comments like “...the ICO is well up to the task”, “...the ICO has bared its teeth...”, “It’s a case of ‘wake up and smell the CMP!’”, and “...the regulator is getting results.” Criticism from the security industry has nevertheless remained high. “After all, what’s the point of being given the power to make a difference for the better if you’re not going to use it?” asks John Thielen, Axway’s chief security officer. “It’s about as good as being handed a winning lottery ticket and leaving it your top drawer.” This may now change. “The ICO has finally started to step up to the mark and shown its teeth,” he added.