ICO turns fines on private sector data breaches

The Information Commissioner's Office has increased the volume of penalties given to the private sector as it continues to clamp down on data breaches

The number of data breaches continues to rise with the Information Commissioner's Office (ICO) handing out more fines to those that fail to look after sensitive information with the public sector no longer taking the brunt of the financial penalties.

The growth in money paid out to the ICO by the private sector is an emerging trend picked out in the details gleaned by a Freedom of Information request filed by security player ViaSat, looking into the details of breach report volumes and the consequences.

The number of self-reported data breaches increased to 1,150 from March 2012 to February 2013 compared to 730 in the same period a year before. On the fines front there were 20 penalties totaling £2.6m compared to just 9 bringing in £791,000 a year earlier.

The public sector is still making errors with local councils accounting for 8 penalties and the NHS getting its knuckles rapped 6 times but 4 were picked up by the private sector, which compares to just a single penalty a year earlier.

The conclusions appear to provide resellers with more reasons to talk about data protection to customers on both of the public and private side with more breaches being reported and fines being issued than in the past.

“Those of us concerned about the state of data protection in the UK can take some comfort from these figures,” said Chris McIntosh, CEO ViaSat UK who said the rise in reported breaches indicated that they were not being ignored and left to fester and that the ICO was getting firmer in enforcing the data protection act,  “not only has the number of monetary penalties increased year-on-year, but they have grown in size and been implemented across both the public and private sectors".

He said that more education needed to be done with human error still accounting for many breaches despite the best intentions of firms hoping that staff would stick to following security policies.

“At the very least workers should be well-educated and ideally systems should be in place to minimise the risk of human error in IT operations. At the same time, it is essential that the public becomes better-educated about the true nature of IT security. While the ICO can keep issuing undertakings and penalties, it is only widespread change in public awareness and expectations that will truly drive organisations to change," said McIntosh.

Read more on Data Protection Services