UK privacy watchdog the Information Commissioner’s Office (ICO) has handed out £2.17 million in fines over the past 22 months, with a staggering 94% of notices issued as a result of organizations’ poor information security, according to a new report.
Compliance consultancy IT Governance studied all the Data Protection Act (DPA) contraventions from January 2013 to October 2014 and found that the vast majority related to non-compliance with the seventh principle of the DPA.
This states that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
Notwithstanding any industry fines that might be levied on top, the average cost of a data breach over the period as a result of ICO action was £35,574.
However, online breaches and cyber attacks cost a much higher £52,308 per incident, while lost devices or files incurred penalties of £35,000 on average.
The report isn’t able to break down organizations by size, although councils were responsible for 33% of all enforcement notices issued, while the healthcare and justice sectors received the highest monetary penalties, an IT Governance spokesperson told Infosecurity.
What’s more, employee error or negligence was found to be the biggest reason for data breaches, betraying a lack of staff awareness and training. One third (32%) of all incidents were due to personal or sensitive data being inappropriately disclosed or sent to the wrong recipient.
IT Governance founder Alan Calder argued that with the EU General Data Protection Regulation potentially landing as early as next year, organizations can’t afford to take infosecurity and data protection lightly.
“Information security management is a key element of privacy regulations, including the Data Protection Act,” he said in a statement.
“Organizations should be turning to ISO27001, the international information security standard, as a means to address both the strategic and operational aspects of information security, and to conform to the principles mandated by the DPA and other regulations.”