According to ViaSat UK, a specialist security and communications company, the number of breaches of the Data Protection Act reported to the Information Commissioner’s Office only represent a tiny proportion of the actual such incidents occurring across the UK.
I can’t say that I’m in the least bit surprised by that.
Data pulled from Freedom of Information (FOI) requests showed there were at least 13,000 thefts (a figure obtained from just 18 of the UK’s police forces) of devices potentially containing sensitive business data between March 2014 and March 2015.
Interestingly, however, the ICO was only informed of 1,089 breaches, meaning potentially thousands of cases went unreported.
Lock them up and throw away the key?
Nah, can’t do that – the Data Protection Act, as things stand, has no provision for dealing with the non-reporting of breaches, meaning we have no way of knowing what may or may not have been stolen, how many people may have been impacted or what, if any, action was taken after the devices were stolen.
Chris McIntosh, CEO, ViaSat UK, said:
We must remember that 13,000 thefts is the bare minimum: considering that not all police forces could share this information, the real figure is likely to be many times greater. As a result, thousands of individuals’ private data could well be on borrowed time.
ViaSat noted that the vast majority of the breaches that were reported to the ICO were made by public sector organisations – primarily the healthcare sector (431) and local government (129) – and very few came from the private business arena.
While statistics can tell you everything – or nothing at all – there is a suspicion that the small number of reported breaches in the private sector could signify that it is seriously under reporting the number it encounters.
It’s clear that this discrepancy isn’t due to the ICO but the framework it has to operate in. As it stands, the ICO simply doesn’t have the tools and powers it needs to ensure that either all threats are reported, or that risk is minimised. For instance, encrypting sensitive data is now a trivial matter in terms of both cost and complexity. If encryption of personal data was made mandatory, and enforced with spot checks and suitable punishments, then the public and the ICO could have much greater confidence [are you listening Mr Cameron?] that none of the 13,000-plus stolen devices represent a threat.
Earlier this week we saw another Freedom of Information request, this time by Egress directly to the Information Commissioner’s Office, which revealed how the number of Data Protection Act breach investigations in the banking industry had risen by 183% over the last two years. Just out of interest, a FOI request made by Egress in November 2014 showed 93% of all breaches across all sectors were caused by human error – food for thought, eh?
So, what is the solution?
The ICO’s role is to encourage best practice in data protection. While it is clear that its financial penalties are aimed at this goal, it still needs more legal and financial muscle to drive its goals. While compulsory reporting of every single potential breach could be difficult to enforce, inevitably it would give the ICO a clearer view of the problem and allow it to better mandate best practice. However, in the meantime compulsory encryption, and the power to police it, is the absolute minimum that the ICO should be granted.
Compulsory reporting, eh? What do you think? Do we need a strict and enforced policy of potential breach reporting or does the answer lie elsewhere?
Given the high levels of human fallibility that often go hand in hand with breaches I’d suggest that legal frameworks aren’t the only answer and that, in fact, businesses should be far more concerned about preventing breaches than dealing with the aftermath when one does occur (though it does of course go without saying that an incident response plan and a compliance with industry regs and legislation are essential).