Skip to main content

Data Leaks Prevalent Amongst Staff and Contractors

A twenty-five page report by security outfit Symantec has concluded that contractors and employees are the main cause for person data breaches in the UK. According to the report,
thirty-six  firms in the UK covering eleven different industries has experienced data breaches during 2011 which resulted in a notification to the Information Commissioner.

Apparently the data breaches were caused over a third of the time by "a negligent employee or contractor" whilst "system glitches" were responsible for another third of the instances. The glitches account for "a combination of both IT and business process failures," the report said. Malicious or criminal attacks were the cause of the remaining one third of cases.

Symantec expressed the view that the amount of information breached on average had fallen and that a larger number of customers were remaining loyal to companies that had lost data. "The average abnormal churn decreased from 3.3 percent in 2010 to 2.9 percent this year," the report said. "However, certain industries, such as financial services and pharmaceutical companies, are more susceptible to customer churn, which causes their data breach costs to be higher than the average. Taking steps to keep customers loyal and repair any damage to reputation and brand can help reduce the cost of a data breach."

Companies also experienced lower costs relating to business lost through  data breaches, the report said. Those costs – which account for factors such as losses to businesses' reputations as well as diminished goodwill – "sharply decreased from £913,910 in 2010 to £779,414 in 2011".

The study said breaches as a result of criminal or malicious attacks were "the most costly".  "..Organisations need to focus on processes, policies and technologies that address threats from the malicious insider or hacker," it said. In 2011,  global companies such as Sony, Nokia and Acer all had personal data stored on their systems stolen by hackers.

All companies and businesses (including internet service providers) are required to notify affected customers and the Information Commissioner's Office (ICO) of personal data breaches immediately, as provided for  in the Privacy and Electronic Communications Regulations.

Since April 2010 the ICO has had the power to issue monetary notice penalties of up to £500,000 for serious data breaches of the Data Protection Act (DPA). It rarely imposes such fines, according to some sources.

Brian can be contacted at Stone King, Solicitors.  For further news and information on legal topics of interest, please visit Brian's other blogs:



Popular posts from this blog

Thirteen Point Guide to the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (“ GDPR ”) will come into force and apply to all EU member states from 25 May 2018. The UK’s decision to leave the EU will not affect the commencement of the GDPR. It contains eighty-eight pages, 99 articles and 173 related recitals and is therefore no small piece of legislation. Overall, the principles under the GDPR are similar to those under the current Data Protection Act. However, there are new elements and significant enhancements; particularly in relation to accountability. The GDPR puts the onus on organisations to show how it complies with the data protection principles and there is a greater emphasis on documenting specific activities. Other  key changes  to be aware of include: Wider scope of application  – certain definitions under the GDPR have been broadened, for example, the definition of “personal data”. Higher penalties  – the GDPR introduces tougher sanctions, including administrative fines for non-com

Jail Sentences for Data Protection Offenders

The House of Commons' Home Affairs Select Committee are encouraging the Home Secretary to introduce jail sentences as a possible punishment for data protection offenders. This is to act as a stronger deterrent than the current, quite ineffective fines.  It is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data", under Section 55 of the Data Protection Act (DPA). But now, personal data has never been easier to access and the risks of information being leaked are an increasing concern. There are many new suppliers of information who are unlikely to understand or take notice of the rules to which they must comply. While the maximum fine for committing a section 55 offence is £5,000 when the case is heard in a Magistrates Court, and unlimited when

Ten Questions to Ask Your Cloud Provider

The use of cloud computing is on an exponential rise, as it offers users almost unlimited storage of data, reduces the need for organisations to have physical servers and allows easy access to information from anywhere in the world. As such, many UK based organisations are now turning to cloud computing to satisfy their data storage needs. But there is one issue which seeks to bring grey clouds over an otherwise silver lining and that is data security . By using the cloud instead of a physical storage device, organisations are obliged to hand over data to a third party cloud provider, some or all of which might be personal data within the meaning of the Data Protection Act. An organisation must therefore be sure, before it enters into a contract with a cloud provider, that its information will be kept securely and the provider’s handling of data will be compliant with the Act and any other applicable laws. Before you embark upon acquiring a business which uses cloud computing o