Analysis of Information Commissioner Cases

We carried out an analysis of the data breach cases which led to the UK’s Information Commissioner extracting an undertaking from the organisation concerned. Over the last 18 months (May 2010 – mid-November 2011), this is the breakdown of 85 cases:

Incident type No. Cases

%

Lost / stolen unencrypted laptop 16 18.8%
Lost / stolen unencrypted USB (20) CD (1) camcorder (1) 22 25.9%
Lost / binned / theft / exposure of papers records 24 28.2%
Data exposed on website / emailed or
faxed to unauthorised individuals
16 18.8%
Unsecure / incorrect / exposure of electronic data storage 7 8.3%
Unsecure / incorrect / exposure of electronic data storage 7 8.3%

The largest category of data breaches is to do with paper records, not with digital data. Many people don’t seem to think that that DPA also applies to paper records. More than that, it is harder for organisations to impose technical security controls on paper documents. This gap can only be filled by training. In today’s climate, the most cost-effective way to train people is DPA Staff Awareness eLearning – this ensures that all staff get a consistent message, tests staff understanding of the key concepts, retains records of completion of training and testing, and enables the employer to systematically train everyone at a low individual cost.

Nearly 50% of the cases are due to an absence of encryption – either of a laptop or of a USB stick. Failure to require staff to use encrypted USB stick (SafeSticks) s is, bluntly, reckless.

The breakdown of organisations concerned is also interesting:

Offender No. Cases

%

Lawyers 4 4.7%
Schools 11 12.9%
Councils 18 21.2%
Social services 4 4.7%
Hospitals / NHS trusts 29 34.1%
Commercial organisations 10 11.8%
Police 3 3.5%
Government 6 7.1%
Public sector 88.2%
Private sector 11.8%

I’m convinced that the only reason the private sector does so well in these statistics is the anomaly that the public sector is required to report data breaches, but the private sector is not (yet). This may change a bit with the new PECR requirement on ISPs to report data breaches but, until the appearance of a broader pan-european data breach reporting requirement, I would expect this reporting imbalance to continue.

The private sector is, however, subject to potentially hefty financial penalties – from the ICO and from individual regulatory bodies, such as the FSA. More importantly, breached private sector organisatons are subject to those most severe of business penalties – reputation destruction and customer desertion. The sensible private sector organisation will be taking steps, now that ISO27035 has been published, to ensure that its incident management and security breach reporting capabilities are up to scratch.