Private companies reported the most data security breaches of any sector over the past 12 months.
According to the Information Commissioner Christopher Graham, of the 603 data security breaches reported to the ICO in 2010/11, 186 occurred in the private sector, yet only 19 per cent of businesses contacted by the ICO accepted a free data protection audit.
In contrast, 71 per cent of public sector organisations that were contacted voluntarily agreed to be audited. Graham said: “Lenders, general businesses and direct marketing companies account for almost a third of total complaints to the ICO, and businesses were the top sector for reporting data security breaches to us last year. Despite this, many of them are still resisting our offer to undergo audits. We've written to organisations we consider to be high risk but the response has been disappointing.
“These audits are not about naming and shaming those who are getting it wrong. The fact that a company has undergone a consensual audit should count as a badge of honour, showing that the business takes data security seriously. After all, sound data protection practices are irrevocably linked to providing good customer service.”
The ICO said that its good practice audits are designed to help organisations and businesses to meet their data protection obligations through sharing good practice and making helpful and practical recommendations. During 2010/11, the ICO wrote to over 100 public and private sector organisations to offer its services. Of those approached, 30 per cent have agreed to undergo an audit.
Chris McIntosh, CEO of ViaSat UK, said: “While the private sector has been responsible for almost a third of all breaches reported to the ICO, given that there is no legal obligation on data controllers in the private sector to report a data security breach, we cannot be sure if this is the full story.
“According to its own records, the ICO has taken direct action against the public sector on 37 occasions, yet it has taken direct action against private organisations only five times. Whilst exactly a third of all civil penalties have been levied on private organisations, the amounts fined are still some way distant: a total of £61,000 against £370,000 for the public sector.”
“With its reluctance to take up offers of auditing and other help, it seems that the private sector may need the incentive of further civil penalties in order to combat lax data security. We still haven't seen the ICO come close to issuing the maximum penalty of £500,000, with the largest fine to date standing at the £120,000 meted out to Surrey Council.
“The ICO needs to be sure it is using the stick as well as the carrot, balancing offers of help such as security audits and praising improvements with the threat of action, either through the ICO itself or through the courts. There still needs to be a real threat of severe action from the ICO: otherwise, despite its best efforts it could still come across as a soft touch.”
Mike Smart, solutions director EMEA at SafeNet, said: “While the ICO doesn't want to come across as naming and shaming, recent high-profile security breaches are making organisations really anxious. The issue here is one of trust: what happens if a high-profile company accepts a free security audit and it uncovers security vulnerabilities that the ICO deem they should have known about and been prepared for? Will they be under scrutiny from the ICO for future?
“My point would be that organisations are reluctant to be audited because they fear the censure of the ICO and how an audit may lay them open to financial penalties. It is something of a Catch 22 and a solution needs to be found if high risk organisations aren't ready to open up on these concerns.”