The Information Commissioner’s Office annual report issued in July highlighted the need for organisations to pay greater attention to data protection at a board level, and acknowledges that there are still major challenges in preventing inadvertent data loss.
The report stated that the ICO has “regulated data security breaches more firmly, focusing more on the use of our civil monetary powers and reducing the number of undertakings issued.” It has issued over ten civil monetary penalty notices totalling £1,171,000 during the 12 month period covered in the report.
Many organisations are aware of the risk of external threats, but too often simple steps like internal education or putting safety measures in place are missed. For example, a penalty of £120,000 was issued to Surrey County Council following three data security email incidents. On each occasion, sensitive personal information was emailed to incorrect recipients. If simple processes and procedures are not put in place then there can be serious consequences for an organisation.
Additionally, the ICO now holds even more power; enabling it to impose monetary penalties of up to half a million pounds for serious breaches of the Privacy and Electronic Communications Regulations. This serves as a stark warning that organisations need to take internal protection of their employees and security data more seriously.
In addition, consequences of data breaches can also extend far beyond ICO sanction. For private sector companies, the reputational damage can directly impact the bottom line and customer confidence in the business.
In the last 12 months, the ICO has also focused on a growing audit programme, completing 42 audits. The ICO believes that these audits have helped raise awareness of the responsibility private and public sector institutions have towards data security.
This is a key issue for UK businesses – awareness must be raised throughout the business, from board level to individual employees, and anyone who handles data or is responsible for its security must be aware of the consequences of mishandling data. Organisations also need to examine if it has processes in place to not only protect, but to detect when a breach has occurred.
Trends like increased mobility are prevalent in the private sector. Consequently there is more responsibility to ensure the appropriate measures are in place to protect data. Potentially sensitive data is now increasingly found beyond the corporate network and is no longer just behind the firewall. Data could be anywhere, and even companies who don’t have consumer devices in the workplace will face this challenge as a result of increased mobility.
Interestingly, many of the breaches we have seen this year, such as Surrey County Council, were entirely preventable. I would advise that businesses put policies in place to ensure that all data is handled appropriately, and use technology to help enforce those policies.
This technology can range from easy-to-use secure messaging solutions that allow users to easily encrypt sensitive messages, to systems that automatically monitor and alert staff to risky actions so they can avoid them. Additionally the technology could also control data transmission and encrypt materials where necessary. One of the biggest benefits of these technologies is the “speed trap” effect – when employees know there is technology in place monitoring their actions, they are extra careful about what they do.
Businesses are facing pressure to treat data responsibility, regardless of any implications with the ICO and potential fines. They face reputational and potentially even more severe effects as a result of failing to have appropriate processes and technology in place; at the centre of this is awareness. Whether public or private sector, there has to be increasing awareness far beyond the boardroom.