ICO fines against self-reported breaches increased by two-thirds last year

News by Dan Raywood

The number of self-reported data breaches to the Information Commissioner's Office increased from 730 to 1,150 in the space of a year.

The number of self-reported data breaches to the Information Commissioner's Office increased from 730 to 1,150 in the space of a year.

According to a Freedom of Information Act request by ViaSat, there were 730 self-reported breaches between March 2011 and February 2012, and 1,150 in the same months during 2012 to 2013.

Chris McIntosh, CEO of ViaSat UK, said: “Those of us concerned about the state of data protection in the UK can take some comfort from these figures. First is the fact that more data breaches are being reported; while this may mean an increase in the number of breaches, it also suggests that such breaches are being more readily identified and reported, rather than left unreported where the issues causing them will fester, unresolved.

“Second, it is clear that the ICO is standing by its promise to use both the carrot and the stick when enforcing the Data Protection Act. Not only has the number of monetary penalties increased year-on-year, but they have grown in size and been implemented across both the public and private sectors."

Also, over the same periods, the number of monetary penalties imposed on organisations for poor data security massively increased: from nine penalties totalling £791,000 in 2011-2012 to 20 penalties totalling £2,610,000 in 2012-2013, a growth of 230 per cent.

The request found that whilst eight of the nine monetary penalties in 2011-2012 were levied against the public sector - accounting for £790,000 of the £791,000 levied - in 2012-2013 the figure was more even: with four of the 20 penalties levied against the private sector for a total value of £520,000 out of £2,610,000.

In a recent SC Magazine webcast poll, 79 per cent of listeners agreed that if you suffer from a cyber security breach, you must report this to national regulators.

Speaking on that webcast, Stewart Room, partner at Field Fisher Waterhouse, said that this needs guidance and because there was no obligation to disclose to the regulator under the current Data Protection Act policy, it comes down to choice.

“Of 25 fines issued last year, 21 were self-reported while the other four were against those who were found out and if you disclose, you are at risk of being fined, but it doesn't give you an amnesty against fines,” he said.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop