ICO: Data-breach spate 'no worse' than normal

The Information Commissioner's Office has said the recent surge of data-breach reports does not indicate a rise in security lapses
Written by Tom Espiner, Contributor

The Information Commissioner's Office has said that the rash of data-breach reports in the past five months is due not to more data breaches, but to more people admitting to them.

HM Revenue & Customs' loss of 25 million details of people claiming and receiving child benefit was the catalyst for a surge of data-loss reports, an ICO spokesperson told ZDNet.co.uk on Friday.

"More people are stepping forward as they realise the importance of data breaches," said the spokesperson. "We don't think the situation is any worse. Back in July last year we highlighted the need for more data protection."

The ICO released its annual report in July 2007, which criticised "horrifying" security lapses at some of the UK's largest companies.

Increasing scrutiny from regulators, including the ICO, is encouraging more disclosure, said the ICO spokesperson. There is also an ongoing review of data-handling procedures in Whitehall, which the spokesperson said is exposing more data-loss incidents.

"People are stepping forward because they want to get it right," the spokesperson added.

Recent reports of data losses include the loss of a laptop by the Ministry of Defence, disclosed in January, which contained personal details of 600,000 prospective or actual recruits for the armed forces. The MoD also lost the bank details of approximately 3,500 of those people. The DVA admitted to losing thousands of learner-driver details in December, while the NHS said in January that it had lost thousands of patient records on a USB drive.

The ICO said that a common thread in these incidents is that the lost devices had no encryption. "If people used more encryption, they would have fewer problems," said the spokesperson.

Private companies can also suffer from regulatory scrutiny due to data loss. The Financial Services Authority fined Norwich Union £1.26m in December for failing to manage customer-data adequately.

Financial advisory firm Deloitte said there was increased scrutiny of organisations by regulators. "The issue of protecting the privacy of sensitive data has never been under such intense scrutiny," said Mike Maddison, head of security and privacy services at Deloitte. "Increasingly regulators and watchdogs are examining the approaches organisations are taking to protect this vital private information."

Maddison said that it is "often the simplest of procedural errors that can result in a security breach".

"As there is no software patch for people, it is clear that the solution to managing such a risk requires flexibility and is as much about people and culture as process and technology," Maddison said. He added that consumer concerns will continue to make data compromise a high-profile issue, and could result in increased legislation.

Editorial standards