Despite the fact that compliance with the Data Protection Act (DPA) is mandatory for all British organisations, a total of 66 enforcement notices for DPA infringements were issued by the Information Commissioner's Office (ICO) between January 2013 and October 2014, resulting in £2,170,000 in monetary penalties. Poor information security was the biggest single reason for these sanctions according to comprehensive analysis of Data Protection Act contraventions over the past 20 months conducted by IT Governance.
The research reveals that enforcement notices were issued by the ICO for both massive and extensively damaging cyber-security breaches, as well as simpler but no less significant contraventions – such as faxes that were sent to the wrong recipients.
Monetary penalties were more severely enforced for online breaches and cyber-attacks, costing companies an average of £52,308 per incident. By contrast, losing a device or file cost companies £35,000 on average.
Alan Calder, founder and executive chairman of IT Governance issued a statement saying: “With cyber-criminals becoming increasingly sophisticated, it is more difficult than ever to ensure that all possible access points into an organisations' systems are protected and to effectively reduce cyber-risks. A holistic approach to information security is crucial – to be successful, organisations must adopt a best-practice approach to enterprise-wide information security management that encompasses people and processes, as well as technological solutions.”
A staggering 94 percent of all notices issued in the last 18 months were attributed to non-compliance with the seventh principle of the DPA. This requires that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
A copy of the full ‘Data Protection Compliance - Research Report 2014' report is available here.