Data breaches and the ICO – the never ending cycle
13 April 2012
By Graeme Stewart The frequency of data breaches and relatively small fines could end up with data loss being seen as a necessary evil, warns one IT security specialist
Since the start of 2012, we have seen a resurgence of fines from the Information Commissioner's Office (ICO), with Cheshire East Council, Croydon Council and Norfolk County Council all facing fines following serious data breaches.
For Croydon Council, a bag containing information relating to the care of a child sex abuse victim was stolen from a London pub, resulting in a £100,000 fine. Norfolk County Council has been served with an £80,000 fine for providing information regarding allegations against a parent and the welfare of their child to the wrong recipient. And Cheshire East Council was ordered to pay £80,000 for failing to take appropriate measures to ensure the privacy of emails regarding police suspicions over a volunteer.
None of these are acceptable, and the ICO has fallen below par in its reaction on every case.
Society – government included – needs to take a step back to really appreciate what is actually being compromised by such damaging breaches. In recent cases, child sex abuse victims have been exposed, child welfare information has been revealed and police emails have been leaked into the public domain. These are all extremely vulnerable individuals and the fact that simple rules to safeguard sensitive details relating to their identities and circumstances have seemingly been ignored or easily broken is unforgiveable.
The fact that preventable mistakes continue to happen, year on year, clearly demonstrates that something needs to change. Whether it is better technology and safeguards being put in place, new regulations, an increase in punishments, or a combination of all of the above – a change in attitude towards sensitive data needs to take place. After all, what may be a routine case to a council employee will often relate to the most private, most sensitive information about the victim.
The problem is compounded by the sizes of the fines issued. They may initially appear to be big but, in the grand scheme of things, they are not – and the fact that council after council will simply pay and carry on, without any change to their processes or policies, does little to prevent further instances of data loss.
Worse still, the frequency of these data breaches undermines their severity to the outside world. As more and more data breaches make the news, and the ICO continues to hand out fine after fine, stories will stop making headlines, and data loss could end up being perceived almost as a necessary evil, in the challenging climate of cutting costs and expanding workloads. We simply cannot let it get to this stage.
The kinds of mistakes that lead to these instances of data loss are completely preventable. The manifesto for change can be simple:
1.The ICO must raise its game. Start handing out big ticket fines. Losing a citizen's confidential data is unacceptable as they will have little recourse for redress. Losing a child's data is a disgrace for the same reason, but amplified.
2. Deploy the technology. Encryption isn't cutting edge anymore – it's a commodity.
3. Stop organisations being able to simply accept fines, look shame faced for five minutes and get on with things. Give the ICO a 20-fold increase in fining powers, some nice shiny powers compelling people to remediate against mistakes, and a legal requirement for public bodies to publish their infosecurity status in annual reports
4. Offer training to people that handle data, and make them totally aware of the implications of lax care.
The past year of data breaches has proven that, not only individuals, but the organisations they represent and the bodies that claim to be protecting against such breaches, need to make changes. Without radical moves such as those above, the never ending cycle of: breach, fine, payment, will continue. Without change, it is the very people we should be protecting that are being put in the firing line, time and time again.Graeme Stewart is public sector business development director at Sophos