ICO fines and the public sector: something needs to change

Public bodies are often called out for data breaches and it's absolutely right that they are. Individuals have to share their data with these bodies so they must be held to a higher standard than private companies when it comes to the protection of personal information. But are the fines that the UK Information Commisioner's Office (ICO) gives out and the 'letters of undertaking' given to it from those responsible for data breaches doing anything at all to combat the problem? The recent report from Big Brother Watch would suggest not.

The Big Brother Watch report identified that local authorities had 4,236 data breaches over the last three years. As seemingly ludicrous as that sounds, it gets worse. The report goes on to list the worst offenders with 10 local authorities having 100 or more data breaches and Brighton and Hove 'winning' with 190 breaches. With so many local councils having repeated data breaches, and in more than two-thirds of cases, no disciplinary action taken, it's pretty clear that no one is learning anything from these breaches and therefore, the public can expect more of the same.

Of course, data breaches aren't limited to public bodies, the case of the Carphone Warehouse being top of mind, but there are a few things that are interesting about the differences between data breaches in private and public organizations.

No Caveat Emptor - Human Error Is the Biggest Problem

People can choose what private companies they want to share their personal information with.  So in the case of the Carphone Warehouse, people can simply choose not to buy from them again and request their details be deleted. People don't have this choice when it comes to local authorities - there's no 'let the buyer beware'.

Secondly, looking at the Carphone Warehouse specifically, the incident that left its 2.4 million customers vulnerable was a cyber-attack. Of course, not all data breaches in private companies are from such a source; many are caused by human error. The IT Policy Compliance Group says 75% of ALL data losses is human error, the Aberdeen Group says 64% and most recently, CompTIA said 52% of the root cause of security breaches is human error.  But when you look at the causes of the data breaches identified in the Big Brother Watch report, it seems the vast majority of the causes were human error and therefore absolutely avoidable which is what's so unforgivable about this whole situation.

Some of the causes cited include:

  • 628 instances of incorrect or inappropriate information being shared on emails, letters and faxes
  • More than 5,000 letters were sent to the wrong address or included content meant for another recipient
  • 197 mobile devices including phones, computers, tablets and USBs lost or stolen

Are ICO fines helping anyone?

When the ICO fines a private company, its shareholders know about the fine and can hold employees, normally those at the top, accountable. In contrast, when the ICO fines a public authority, it takes money out of the public purse which means cuts to public spending and resources, whilst those who are paying the salaries of those responsible, i.e. the taxpayers, have no say about what happens to the guilty parties. The result is that those in charge continue to waste public money.

Sometimes the ICO doesn't even issue a fine, choosing instead to accept a 'letter of undertaking' from those responsible promising to rectify the issues that caused the breach. Given the number of repeat offences identified in the Big Brother Watch report, I'm not sure those letters are worth the time it takes someone to type them.

So citizens have their personal information compromised, have public resources in their area tightened as a result and are powerless to stop it from happening again - it's a lose, lose, lose.

The technology and the training exists to combat these breaches - what's missing is the will of senior members within these public bodies to take data security seriously and the will of the ICO to properly hold them to account.

Technology and training: New EU laws are on the way

In terms of technology, there are a whole host of solutions available from encryption to tracking technology and everything in between but the crucial thing to get right in order to prevent further data breaches is the culture and training around handling data. If employees aren't trained and policies don't exist or aren't clear then it's not human error, it's a management issue. With the EU data protection regulation on the way, organizations will need to reveal data breaches within 24 hours so now would seem like exactly the right time for public bodies to start getting its data ducks in a row. 

Does the role of the ICO itself need to change?

But what about the role and methods of the ICO? Hopefully with the new EU regulation, the ICO will have bigger, sharper teeth but what we don't want to see is just bigger fines for public bodies - that would be a self-perpetuating disaster. There needs to be a complete rethink about how the ICO deals with public bodies that are funded with public money.

Maybe the ICO should be working with training bodies on education around data protection. Maybe they should be working on identifying all those with access to personal information and adopting a three strike approach that makes it impossible for those responsible for data breaches to work with data again. Maybe they should be working with technology companies so that they can advise on the kinds of technology available to protect data.

But certainly, it shouldn't be continuing to operate as it does now, as clearly that's not an effective use of taxpayers' money.


About the author:

Norman Shaw is the founder and CEO of ExactTrak, a UK based technology company specialising in the tracking, management and protection of mobile data through its patented technologies.


What’s Hot on Infosecurity Magazine?