News has broken today that 132 local councils in the UK have lost private data, with more than 1,000 data loss incidents occurring since 2008. The report, released by Big Brother Watch following a number of freedom of information requests, also reveals that just 55 of these incidents were reported to the Information Commissioner’s Office (ICO).
The UK public has little choice but to entrust local authorities with their personal data so the news that 132 councils have lost confidential information means this trust is being abused. Unlike the private sector, where customers can vote with their wallets and simply walk away from firms that lose their data, users of council services have no such freedom.
It therefore becomes even more important that strict regulations are in place that both prevent data breaches from happening in the first place and penalise those organisations which fail to keep data safe.
It’s also surprising that it takes a freedom of information request to uncover the true extent of data loss incidents within councils. A mere 55 incidents were reported to the ICO, even though that’s the body set up to enforce data protection legislation and take action against those that breach it.
With more than 1,000 incidents taking place since 2008, this means almost 95 percent of breaches have been kept secret, until now at least. This level of disclosure will be totally unacceptable to the majority of the UK public, who demand complete transparency about whether their personal information is at risk.
My company’s own research of 2,000 consumers, undertaken in October 2011, shows that 72 percent of people believe that every data breach should be publically disclosed.
With the EC expected to introduce mandatory data breach disclosure laws early next year, things could start to get significantly tougher for organisations which take a lax approach to data protection. To stop making the headlines for all the wrong reasons, these councils really need to step up their processes and training programmes.
A key area for focus should be the network-wide monitoring of IT systems to alert on suspicious or unexpected activity and to provide vital forensic information in the event that a breach occurs.
Organisations connected to government ICT systems are already mandated to undertake this Protective Monitoring, which is part of Good Practice Guide (GPG) 13, however, as today’s breach revelations show, not every organisation is doing this effectively and there is a big difference between being compliant and being secure.