ICO Data Security Incident Trends

A data breach is the intentional or unintentional release of secure or private/confidential data by, say, employees, cyber-hackers, political activists or national governments.

The Information Commissioner’s Office (ICO) is the U.K.’s independent privacy watchdog who have the responsibility of upholding information rights for the benefit of the public interest. Though there isn’t a legal responsibility on companies and/or organisations to report all data security breaches, it’s considered good practice to do so.

Here’s a look at some of the recent data security incident trends from the ICO.

DPA

The Data Protection Act (DPA) presses for companies and organisations to uphold information security:

“…appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

This is the 7^th Data Protection principle. In practice, it means companies and/or organisations must have appropriate cyber-security to prevent personal information being accidentally or deliberately compromised.

The ICO provides tips as follows:

To design and organise your cyber-security to fit the nature of the personal data you hold, and the harm that may result from a security breach.
Be clear about who in your organisation is responsible for ensuring information security. There should be a designated chief information officer.
Ensure you have the right physical and technical security; this should be backed up by robust policies and procedures and well-trained staff.
Be ready to respond effectively to any data breaches.

ICO’s penalties

The ICO has recently fined:

HCA International Ltd £200,000
Royal & Sun Alliance Insurance PLC £150,000
Norfolk County Council £60,000
A Barrister £1,000

They’re always investigating incidents, and the above is just a small example of the sorts of fines they have distributed.

The ICO’s power isn’t limited to monetary penalties – they can also issue undertakings. In one example, an undertaking was issued to Pennine Care NHS Trust for them to comply with the 7^th Data Protection principle.

The privacy watchdog also checks whether undertakings are being complied with. For example, the ICO checked if Wolverhampton City Council (signed in June 2016), Cornwall Council (signed in September 2016) and NHS Digital (signed in April 2016) had completed their undertakings following data protection investigations.

Data breach trends

From October to December 2016 and January to March 2017 there was a reported 20% increase in personal data sent by email to the incorrect recipient, and a 32% increase in failure to black-out personal data.

This is indicative that more training is required for employees who are handling the data. It would be more cost-effective for the company/organisation to train employees on how to handle personal data securely and sensitively rather than having to pay for the repercussions in the event of a security breach.

Though exfiltration seems to be the most common type of cyber-security incident, other vulnerabilities in the system like cyber-security misconfiguration can result in data breaches too. We can’t take these statistics as perfect since they’re based on ‘reported incidents’, and it’s a well-known problem that not all organisations are properly reporting data breaches, and there can be many reasons as to why. One reason is to avoid fines, and another may be to “save face” on the origination’s reputation.

Health and local government at the top of the culprit pile

In the ICO’s study, it’s reported that health, general business and local government were the sectors with the most reported incidents, based on a study published on 20^th June. The ICO notes that breach reporting in the health sector is mandatory.

Start Your Claim

You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to create a call back with one of our expert Data Claims team.

Create A Call Back

Information on how we handle your data is available in our Privacy Policy.

The content of this post/page was considered accurate at the time of the original posting and/or at the time of any posted revision. The content of this page may, therefore, be out of date. The information contained within this page does not constitute legal advice. Any reliance you place on the information contained within this page is done so at your own risk.