ICO Cracks Down On Data Breaches, But No Fines

The Information Commissioner’s Office (ICO) has been coming down hard on institutions that are responsible for data breaches, after a Berkshire council lost a memory stick containing personal information about children, and a surgery in Wales lost a USB containing details of 8,000 patients in the same week.

On 2 June it was reported that West Berkshire Council had lost a USB stick containing information about the ethnicity and physical or mental health of local children. The device was not encrypted or password protected.

This is the second data security incident reported by the council in six months. Following further investigation, it emerged that the council had introduced encrypted USB drives in 2006, but some employees were still using unsecured devices.

“A new compulsory campaign of security training is already taking place and an audit is underway to ensure that no further unencrypted memory sticks are in use,” a council spokesman told the BBC.

Organisations not fined for breaches

Then, on 3 June, it was reported that a surgery in Lampeter, Ceredigion had lost the details of 8,000 patients in the post, including their names and addresses. The memory stick was reported lost in March, after a member of staff downloaded an entire database onto an unencrypted memory stick, which was also not password protected.

The memory stick was posted by recorded delivery to the Health Boards’ business service centre, but failed to arrive.

The ICO has ruled that both incidents breached the Data Protection Act. However, neither organisation appears to have been fined, despite warnings earlier this year that companies that fall foul of data breach laws risk a maximum fine of £500,000. The ICO has also been pushing for prison sentences to be introduced for professional data thieves.

“It is imperative that staff are made fully aware of an organisation’s policy for securing personal data and any portable device containing personal information should always be encrypted to prevent it being accessed in the event of loss or theft,” said ICO enforcement group manager Sally-Anne Poole.

Earlier this week, the ICO published a list of all the data breaches reported since 2007. Of the 1,007 reported breaches, the NHS was responsible for 305.

Only half caused by theft

According to the report, just under half of the NHS data breaches were caused by stolen data and hardware. A further 87 breaches were caused by lost data and hardware, 43 were due to data being disclosed in error, 7 came from information that was lost in transit, and 17 from technical or procedural failure.

“We all know that mistakes can happen but, the fact is that human error is behind a high proportion of security breaches that have been reported to us,” said David Smith, Deputy Commissioner of the ICO. “Extra vigilance is required so that people’s personal information does not end up in the wrong hands.”

At the Infosecurity Europe 2010 show in London, a survey by SaaS email security provider Proofpoint also found that 93 percent of respondents were concerned about the potential for private or personal information to be leaked via email.

This is despite the fact that nearly two thirds of those surveyed said that their company had implemented data protection regulations, and around half had already deployed some kind of email encryption system.

“Enterprises have a pressing need to adhere to regulations that require special handling of sensitive information in emails, and require automatic methods for ensuring compliance,” said Ken Yearwood, director NEMEA at Proofpoint. “It is gratifying to see that passwords are now commonplace and that businesses are embracing security mechanisms such as full disk encryption to ensure that the company is not at risk in the event that a laptop is lost or stolen.”