Just one look at the data security breaches listed at the Information Commissioner's website is enough to prove that the U.K. still has an enormous problem with personal information being leaked to the wrong people.
This week the Information Commissioner's Office (ICO) gains new powers to enforce Data Protection Act (DPA) fines up to £500,000 for data security breaches. However, numerous organisations continue to leave data unprotected: The list of recent enforcement notices served by the ICO includes several councils, finance companies, a charity, an NHS Trust and a professional body.
Provided they follow the terms of the ICO's enforcement notices and mend their procedures, these organisations can expect no further sanction from the ICO. The only embarrassment or punishment they suffer is to have their public undertaking to improve their ways published on the ICO website. But starting April 6, any organisation responsible for a data security breach could be liable to a Data Protection Act fine.
The ICO last week published details of two cases that exemplify the types of data security breaches that continue to occur. One was regarding a breach at the The Highland Council, which appears to have been for an administrative error. But in the other case, Warwickshire County Council had suffered the theft of two laptops and the loss of a memory stick. The notice announced that the chief executive of the council had signed "a formal undertaking to ensure that portable and mobile devices used to store and transmit personal data are encrypted."
Other recent cases listed on the enforcements pages of the ICO website include:
March 29 -- St Alban's City and District Council had four laptops stolen last October, one of which was password-protected but not encrypted and contained voter records. In this case the council had policies for securing laptops physically, but these had not been followed by a contractor company.
March 24 -- Zurich Insurance plc lost an unencrypted backup tape containing financial personal information belonging to 46,000 policy holders.
March 16 -- Royal London Mutual Insurance Society had eight laptops stolen from its Edinburgh offices, two of which contained the personal details of 2,135 people. The machines in question were password-protected but unencrypted.
February 19 -- Redstone Mortgages Ltd. disclosed personal data of more than 15,000 mortgage customers last August when information was emailed by mistake to a member of the public. The data was not encrypted or password-protected, and similar reports had been emailed each month since 2005.
Commenting on the Warwickshire data security breach, Ewen Anderson, managing director at IT consultancy Centralis Ltd., which is based in Warwickshire, said: "If information security is left up to members of staff to remember to apply encryption to laptops and USB sticks, it will inevitably fail, regardless of the good intentions of organisations or their staff."
He said security should be policy-based and enforced by default, preventing exceptions unless they are properly tracked. "Keeping data securely within the data centre rather than allowing it to be downloaded and locally stored remains the best option for any organisation trying to stay out of the press and on the right side of the ICO," he said.
Whether attitudes will change going forward now that the ICO wields new power is open to question. A new survey carried out by Cyber-Ark Software amongst 500 workers in the City of London found that 65% of them had not been informed about the latest Data Protection Act fines and the potential impact on their organisation of a data security breach. Of those polled, 64% said they carried unprotected customer data on mobile devices.