Companies Warned To Come Clean On Data Breaches

Businesses that do not own up to data breaches will face tougher action than those that come forward of their own volition, the Office of the Information Commissioner (ICO) has warned.

In a statement released this week, the ICO said that more than 800 data security breaches have been reported over the last two years. The ICO warns that companies that approach it voluntarily will still face some action, but those businesses which attempt to cover-up security incidents will be hit with much tougher penalties.

“In just over two months a further 100 organisations have reported data security breaches to us,” said deputy commissioner David Smith. “Talking to us may of course result in regulatory action. However, organisations must act responsibly; those that try to cover up breaches which we subsequently become aware of are likely to face tougher regulatory sanctions.”

According to the ICO, 195 of the 818 breaches reported to the organisation since November 2007 have been attributed to mistakes or accidents. But a further 262 breaches were down to theft of personal devices such as laptops. “Staff must be adequately trained and organisations should give proper consideration to restricting staff from downloading large volumes of data on to memory sticks and other portable devices,” the ICO states.

Earlier this month, the ICO criticised Southampton University Hospitals NHS Trust (SUHT) for its lax approach to security, which allowed a laptop containing 33,000 patient records to be stolen. The unencrypted laptop was stolen on 19 October 2009 from a hospital vehicle that was left unlocked and unattended, according to an ICO statement.

The ICO is urging companies to be more forthcoming on revealing data breaches ahead of an increase in its powers planned for later this year. Earlier this month, the ICO was given the power to issue large fines for any serious data breaches, after gaining the approval of Secretary of State for Justice, Jack Straw. It is expected to become law on 6 April, providing there are no parliamentary objections.

Companies that fall foul of the data breach laws now risk a maximum fine of £500,000. It is not clear at this time whether the same principle applies to government departments that lose sensitive data.