A data breach is the intentional or unintentional release of secure or private/confidential data by, say, employees, cyber-hackers, political activists or national governments.
The Information Commissioner’s Office (ICO) is the U.K.’s independent privacy watchdog who have the responsibility of upholding information rights for the benefit of the public interest. Though there isn’t a legal responsibility on companies and/or organisations to report all data security breaches, it’s considered good practice to do so.
Here’s a look at some of the recent data security incident trends from the ICO.
The Data Protection Act (DPA) presses for companies and organisations to uphold information security:
This is the 7th Data Protection principle. In practice, it means companies and/or organisations must have appropriate cyber-security to prevent personal information being accidentally or deliberately compromised.
The ICO provides tips as follows:
|To design and organise your cyber-security to fit the nature of the personal data you hold, and the harm that may result from a security breach.|
|Be clear about who in your organisation is responsible for ensuring information security. There should be a designated chief information officer.|
|Ensure you have the right physical and technical security; this should be backed up by robust policies and procedures and well-trained staff.|
|Be ready to respond effectively to any data breaches.|
The ICO has recently fined:
- HCA International Ltd £200,000
- Royal & Sun Alliance Insurance PLC £150,000
- Norfolk County Council £60,000
- A Barrister £1,000
They’re always investigating incidents, and the above is just a small example of the sorts of fines they have distributed.
The ICO’s power isn’t limited to monetary penalties – they can also issue undertakings. In one example, an undertaking was issued to Pennine Care NHS Trust for them to comply with the 7th Data Protection principle.
The privacy watchdog also checks whether undertakings are being complied with. For example, the ICO checked if Wolverhampton City Council (signed in June 2016), Cornwall Council (signed in September 2016) and NHS Digital (signed in April 2016) had completed their undertakings following data protection investigations.
Data breach trends
From October to December 2016 and January to March 2017 there was a reported 20% increase in personal data sent by email to the incorrect recipient, and a 32% increase in failure to black-out personal data.
This is indicative that more training is required for employees who are handling the data. It would be more cost-effective for the company/organisation to train employees on how to handle personal data securely and sensitively rather than having to pay for the repercussions in the event of a security breach.
Though exfiltration seems to be the most common type of cyber-security incident, other vulnerabilities in the system like cyber-security misconfiguration can result in data breaches too. We can’t take these statistics as perfect since they’re based on ‘reported incidents’, and it’s a well-known problem that not all organisations are properly reporting data breaches, and there can be many reasons as to why. One reason is to avoid fines, and another may be to “save face” on the origination’s reputation.
Health and local government at the top of the culprit pile
In the ICO’s study, it’s reported that health, general business and local government were the sectors with the most reported incidents, based on a study published on 20th June. The ICO notes that breach reporting in the health sector is mandatory.
IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.
Request a call back from our team
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with an * are required.