Si Kellow (UK) - The High Price of Data Breaches

Imagine the most unpleasant thing you can and multiply it by a thousand. That’s how unpleasant it is to have to report a data breach. It’s a task that’s guaranteed to win you no friends from any quarter. If you’re in the public sector your board will face questions about the organisation’s ability to ‘look after’ information, and there will be worries about ‘public trust’. In the private sector - if you’re listed - will a data breach affect share prices and shareholder confidence? Or will it just lead to a P45? What of the unfortunate people whose information has been breached? They’re usually the last to know.

Prior to April 6, 2010, the monetary penalties for data breaches weren’t particularly challenging – a level five fine, or up to six months imprisonment. So was there really a need to tell people that something had happened? The statute said yes, but in reality the incentive to do so was miniscule, even if you got caught out, £5,000 was small change. But in November 2007 something happened that changed the entire “’fessing up” landscape; HMRC lost two CD’s with the Child Benefit database on them. Starting as an issue that ‘only mattered to other countries’, eventually the UK was exposed by a data breach that could have affected up to 25 million people. What choice was there but to come clean? The fallout from the event spawned the Cabinet Office Data Handling Review, and set the course for the ICO to get tough.

From April 6, the monetary penalties increased to a maximum of £500,000, and the criteria for reporting was made much more accessible. The onus most definitely shifted to the organisation that had suffered the breach to report and understand the situation as quickly as possible. After the Child Benefit incident, the public were more aware of the effect of data breaches and the potential for identity fraud, but it was in the Public Sector the effects reached farthest. The requirements of the Data Handling Review meant that boards and executive teams were more involved in the data management process than ever before - as they should be in a mandatory involvement.

I was working in the sector at the time, whilst there was an air of apathy. Those that embraced data governance and understood what was going on used it to their advantage. The requirement to include in the Statement of Internal Control commentary around data handling, which included breaches, meant the appetite to report and closeout the incident as fast as possible became paramount.
Since the ICO monetary penalties increased, it’s noticeable the amount of Public Sector reporting has increased, but monetary penalties have been avoided, with a preference to get Chief Executives to sign up to an undertaking This could be viewed as being worse than a penalty because it gives a timescale for the event to be tackled, and if that isn’t met then a penalty can still be imposed.

How about in the Private Sector? Of the 24 undertakings that have been published by the ICO in 2012, six are with limited companies, the others being charities and public sector entities. Of the six monetary penalties, not a single one to the private sector!
During my time in the public sector I had cause to report three breaches to the ICO, but none of them appear on any notifications from the ICO, because I had put in place a protocol for the handling of data breaches, and I followed it to the letter. I am a proud possessor of emails from the ICO that say “no action to be taken as your report and handling of the event are satisfactory”. The Chief Executives at the organisations I represented, whilst uncomfortable at having to state that breaches had occurred, were satisfied that their auditors took apart the events and ensured that all possible controls had been put in place, and that the events were genuine accidents.

What of the future? Well, Europe has woken up to the fact that the member states interpretations of the Data Protection Directive are not as coherent as they could be. Working its way through Europe at the moment is a significant update to the directive, which is rumoured to include “cloud services”, but the biggest shakeup is a levelling of the playing field around monetary penalties. Although the exact percentages haven’t been finalised, amounts between 2% and 5% of annual global turnover have been mooted. Mandatory reporting within a shortened timescale will focus the minds in the private sector. No longer is the reputational damage of a breach the main concern, the financial impact (and having to report that to shareholders/owners) is probably the most effective way of bringing breach reporting and breach management into the 21st century.

By Si Kellow, Security Consultant and Chief Security Officer, Proact


« Dan Swinhoe (Asia)- Malaysia: Ambition, Growth and Censorship


Dan Swinhoe (Asia)- Myanmar: Unpolished Gem or Fool's Gold? »

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies


Do you think your smartphone is making you a workaholic?