All the recent fuss about high profile data security breaches in the public sector has forgotten one important thing – the public sector is not the only culprit.
The private sector has historically been just as careless. Norwich Union has in the last month been fined £1.26m by the FSA because customers have lost millions of pounds through identity fraud. Norwich Union had failed to put in place proper security checks at its call centres which caused customers to lose £3.3m through identity theft. The fine follows the FSA’s ruling against Nationwide last year, where it was fined £980,000 after 11m customers’ details were lost when an employee’s laptop was stolen.
None of the data security breaches discusses endlessly in the media at the moment are new – each year, thousands of laptops are stolen, blackberries lost, documents inadvertently thrown in non-confidential bins, dishonest employees steal client data, and websites are hacked into.
Mostly this is through carelessness and organisations’ failure to implement proper measures (technological and organisational) to protect personal data. Simple practical safeguards should (routinely, under the DPA) be taken. All organisations are should ensure sufficient safeguards are in place to guard against loss of customer and employee data, including considering encryption technology for laptops, greater security around transportation of back up tapes, other software solutions to detect downloading of sensitive data from networks, and staff monitoring.
Some commentators believe there is a lack of incentive on businesses to focus on these issues (for example, no requirement disclose data breaches to the public). For example, Norwich Union and Nationwide were only fined because they are regulated by the FSA, whose rules provide for regulation in the area of data security. Other regulators in different industries do not have such regulatory powers, and indeed even the ICO does not have (in many people’s views) sufficient power to deal appropriately with serious data security breaches. In light of the HMRC episode, however, this looks set to change.
Of some use to organisations may be a new handbook, published by the ICO, which advises organisations that they should consider the impact on individuals’ privacy before developing new IT or organisational systems which handle personal data. The handbook aims to assist organisations to address the data protection and privacy risks before implementing the new initiatives and technologies. It is available via the ICO website.
But probably of greater importance will be the recommendations for changes to the laws governing data security arising from the current consultations following the HMRC incident.