Lessons to learn from a year of data breaches

In the year since the HMRC data breach, many more have been made public – here’s a roundup of 11 lessons (we should have) learned.

Merchant Securities Group was fined 77,000 even though it didn't even have a security breach, but simply because its methods risked enabling one.

At the time, Margaret Cole, the director of enforcement at the FSA, said: "It is unacceptable that despite increased awareness of data security issues, a firm should be so careless about its systems for protecting customers' personal details. People have a right to expect their details to be kept secure and firms should be committed to treating their customers fairly in all aspects of their business." Right on, Margaret. Right on.

Lesson 11: The ICO needs more powerOf the 277 data breaches the ICO has investigated over the past year, it's taking action against 30 organisations. That's not a lot.

The actions it can take generally consist of sending an angry letter demanding changes to processes, to ensure the guilty body learns to comply with the Data Protection Act. For the most part, this means deleting unnecessary data and encrypting portable media devices which is what the watchdog made Virgin Media do in the wake of a lost disc.

Advertisement - Article continues below
Advertisement - Article continues below

Under the threat of prosecution, most organisations seem to just buy some encryption software and get on with business. Not really much of a deterrent, is it?

Members of the government and the information commissioner himself have all called for stronger powers. Thomas said last year that his limited powers were a "very bizarre situation, unlike virtually all the other data protection authorities around the world and most other regulatory bodies, such as the Financial Services Authority."

Indeed, until the watchdog gains the power to fine like the FSA or data breaches become criminalised, it's going to continue to be little more than a source of good advice often ignored and some nasty letters now and then.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
cyber security

If not passwords then what?

8 Jan 2020
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020