Out-Law News | 03 Jun 2016 | 2:52 pm | 3 min. read
Between the beginning of January and end of March this year there were 448 incidents of data breach or loss recorded by the Information Commissioner's Office (ICO). According to its category break-down of the cases, most incidents could be attributed to human error.
Of the 448 incidents, 74 were recorded as a loss or theft of paperwork, a further 74 were cases where data was posted or faxed to the wrong recipient and in 42 cases data was emailed to the incorrect recipient. Unencrypted devices were either lost or stolen on 20 occasions in the first three months of the year, and 24 cases concerned insecure disposal of paperwork. Organisations failed to redact personal data 28 times during the period and a further 19 cases in total concerned either information uploaded to a webpage, verbal disclosure or insecure disposal of hardware.
In comparison, there were 39 cases of data breaches in the first quarter of 2016 stemming from insecure websites, which includes incidents of hacking. A further 128 data security breaches were recorded by the ICO during the period but were not categorised by the watchdog.
According to the data, 184 of the 448 data security breaches occurred at health bodies, which are obliged to report data breach incidents unlike most other organisations. Local government, education bodies and general business groups were responsible for a further 115 of the incidents. Finance, insurance and credit firms experienced 25 data breaches during the three month period.
The ICO also said that communications service providers reported 176 separate personal data breaches under the Privacy and Electronic Communications Regulations during the months of January, February and March this year.
Egress Software Technologies was the company behind the freedom of information disclosure by the ICO.
"The fact that so many breaches are caused by methods of working that are known data breach pitfalls – such as faxing and posting sensitive information, or using plaintext email – should be a major concern for all organisations," Tony Pepper, chief executive of Egress said. "Organisations need to begin gaining a holistic understanding of the information security measures they have in place."
"This begins with examining the nature of the data produced and handled by their staff, and using a classification tool to mandate how that it is treated. Next, they need to make sure that, when required, the data is released in the correct manner. Integration between classification policy and tools, such as email encryption and secure online collaboration, can ensure the correct protection and control is applied to the data when it is released from their environment – functionality obviously not available in more traditional ways of working," he said.
Under the UK Data Protection Act (DPA) data controllers are required to take "appropriate technical and organisational measures" to ensure against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
When outsourcing personal data processing to others, data controllers are required to select processors that can provide "sufficient guarantees" that they can properly meet the "appropriate technical and organisational measures" requirement and that they will "take reasonable steps" to "ensure compliance".
The data controllers must establish a written contract with data processors specifying that the processor may only undertake processing activities that the controller tasks them with, whilst the contract must also hold the processors to meeting the data security obligations of the DPA. The data controller is also responsible for those personal data security standards being met by the processors to which they outsource and so must ensure that it monitors the processors' compliance with its contractual obligations.
Organisations can be fined up to £500,000 by the ICO for serious breaches of the DPA.
However, recently finalised new EU data protection rules, which will come into effect in May 2018, create a new statutory obligation on data security that data processors must observe above and beyond contractual duties agreed with data controller customers. In addition, the General Data Protection Regulation will introduce a new data breach notification regime which all organisations will be subject to. A stiffer sanctions regime will also apply, with fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater, possible.