Infosec 2015 Thefts and losses of computers and laptops often go unreported to data privacy watchdogs and could represent a huge hidden risk for the leak of confidential data, according to new research.
The Information Commissioner’s Office received 1,089 data breach reports between March 2014 and March 2015, yet police forces across the UK received at least 13,000 reports of thefts of devices that could hold sensitive data from businesses. The figures come from a series of Freedom of Information requests from security and comms specialist ViaSat UK.
The current Data Protection Act contains no legal obligation to report breaches and has no specific security requirements for full disk encryption or similar protection included; therefore, there is no way of knowing whether any of these thefts put the sensitive data at risk, according to ViaSat.
Chris McIntosh, chief exec of the security firm, argued that the ICO needs greater powers to deal with the true scale of data breaches.
“It’s clear that this discrepancy isn’t due to the ICO but the framework it has to operate in,” McIntosh said. “As it stands, the ICO simply doesn’t have the tools and powers it needs to ensure that either all threats are reported, or that risk is minimised. For instance, encrypting sensitive data is now a trivial matter in terms of both cost and complexity. If encryption of personal data was made mandatory, and enforced with spot checks and suitable punishments, then the public and the ICO could have much greater confidence that none of the 13,000-plus stolen devices represent a threat.”
The vast majority of breaches reported to the ICO came from the healthcare sector, which was responsible for 431 in total; the next highest was local government, with 129. Between them these two sectors accounted for more than half (51 per cent) of all 1,089 reported breaches and the greatest number subject to ICO enforcement action. Education and law enforcement also accounted for a significant number of reported breaches.
“The statistics suggest that the private sector is still greatly under-reporting the number of potential breaches it encounters,” according to ViaSat.
Disclosure of data (689) and security (375) were by far the two most common categories of self-reported data breaches. The number of self-reported breaches fell from 1,274 in 2013/14 to 1,089 in 2014/15.
The total value of monetary penalties issued by the ICO for self-reported data breaches between in the year to 12 March 2015 amounted to £1,142,500, compared to £1,230,000 in the 2013/14 season and a bumper £2,610,000 in 2012/13.
Chris McIntosh continued: “The ICO’s role is to encourage best practice in data protection. While it is clear that its financial penalties are aimed at this goal, it still needs more legal and financial muscle to drive its goals. While compulsory reporting of every single potential breach could be difficult to enforce, inevitably it would give the ICO a clearer view of the problem and allow it to better mandate best practice. However, in the meantime compulsory encryption, and the power to police it, is the absolute minimum that the ICO should be granted.”
ViaSat sells encryption technology so it has a commercial interest in trying to drive demand. Its research methodology appears sound and the problem it identifies is genuine enough; however, the argument that more resources and powers for the ICO would answer the problem isn’t terribly convincing.
A shift in attitudes, making encryption technology available out of the box, and user education would all seem to have a role. ®