ViaSat UK obtained a breakdown of reported breaches and monetary penalties issued by the Information Commissioner between March 8th 2012 and March 8th 2013. It finds that breaches reported to the ICO have grown from 730 in the preceding 12 months to 1,150 in the latest period. During the same period, fines levied have grown from £791,000 (nine separate penalties) to £2,610,000 (20 separate penalties).
“It is clear,” comments Chris McIntosh, ViaSat UK’s CEO, “that the ICO is standing by its promise to use both the carrot and the stick when enforcing the data protection act. Not only has the number of monetary penalties increased year-on-year, but they have grown in size and been implemented across both the public and private sectors.”
In the 2011 period, eight of the nine penalties were levied against public sector organizations (£790,000 out of the total £791,000). During the 2012 period, 16 out of 20 penalties were on the public sector (£2,090,000 out of the total £2,610,000). This shows an increasing willingness to take action against the private sector – but public sector penalties still dominate.
The obvious observation from the figures would be that the public sector takes less care over protecting personal information than the private sector. However, the UK does not have a compulsory breach notification requirement, and while the public sector is pressured to do so, the private sector has commercial pressure to keep breaches quiet. McIntosh believes that both factors are relevant to the ICO figures. “Clearly a legal requirement would gain the attention of risk owners; however if local authorities do not perceive their data as being high value then they will not make the effort required to secure it appropriately.”
The largest fine in the private sector was levied on Sony, which received a fine of £250,000 for the 2011 breach of the PlayStation Network. In the public sector, eight penalties were levied against local councils (a total of £845,000), and six penalties against NHS bodies (a total of £945,000). Most of the penalties were for simple human error – especially sending or sharing information inappropriately.
“What is clear from these findings,” concludes McIntosh, “is that the human factor is still the primary cause behind data breaches. However, this doesn’t mean that organizations can assume their other defenses are now airtight: a truly secure system means taking into account every single way that data could be lost or misused, from encrypting devices to making sure employees know how to use email, as well as how they interact with one another.”