Skip to main content

Data Leaks Prevalent Amongst Staff and Contractors


A twenty-five page report by security outfit Symantec has concluded that contractors and employees are the main cause for person data breaches in the UK. According to the report,
thirty-six  firms in the UK covering eleven different industries has experienced data breaches during 2011 which resulted in a notification to the Information Commissioner.

Apparently the data breaches were caused over a third of the time by "a negligent employee or contractor" whilst "system glitches" were responsible for another third of the instances. The glitches account for "a combination of both IT and business process failures," the report said. Malicious or criminal attacks were the cause of the remaining one third of cases.

Symantec expressed the view that the amount of information breached on average had fallen and that a larger number of customers were remaining loyal to companies that had lost data. "The average abnormal churn decreased from 3.3 percent in 2010 to 2.9 percent this year," the report said. "However, certain industries, such as financial services and pharmaceutical companies, are more susceptible to customer churn, which causes their data breach costs to be higher than the average. Taking steps to keep customers loyal and repair any damage to reputation and brand can help reduce the cost of a data breach."

Companies also experienced lower costs relating to business lost through  data breaches, the report said. Those costs – which account for factors such as losses to businesses' reputations as well as diminished goodwill – "sharply decreased from £913,910 in 2010 to £779,414 in 2011".

The study said breaches as a result of criminal or malicious attacks were "the most costly".  "..Organisations need to focus on processes, policies and technologies that address threats from the malicious insider or hacker," it said. In 2011,  global companies such as Sony, Nokia and Acer all had personal data stored on their systems stolen by hackers.

All companies and businesses (including internet service providers) are required to notify affected customers and the Information Commissioner's Office (ICO) of personal data breaches immediately, as provided for  in the Privacy and Electronic Communications Regulations.

Since April 2010 the ICO has had the power to issue monetary notice penalties of up to £500,000 for serious data breaches of the Data Protection Act (DPA). It rarely imposes such fines, according to some sources.


Brian can be contacted at Stone King, Solicitors.  For further news and information on legal topics of interest, please visit Brian's other blogs:



 





Labels:

Comments

New comments are not allowed.

Popular posts from this blog

Cloud Service Providers Now Subject To Scrutiny Of Assurance Registry

After mounting concerns relating to the security of cloud computing, a new online platform is to enable users to assess the security features of registered cloud providers. The Security, Trust & Assurance Registry (STAR) hopes to encourage providers to improve their data protection security thanks to this increased transparency, as well as aid organisations using the providers to comply with data protection laws. The Working Party drew attention to firm’s lack of control over customer’s personal data when using cloud services. As cloud computing uses an internet based network in place of local computing resources, they stated that there is risk of "loss of governance, insecure or incomplete data deletion, insufficient audit trails or isolation failures," by organisations using these providers.          Operated by not-for-profit body the Cloud Security Alliance (CSA), STAR hopes to limit such risks to data protection. The CSA’s members include Google, Microsoft and m
Post a Comment
Read more

Torbay Care Trust Fined For Data Protection Breaches

As a result of breaching data protection laws, the Torbay Care Trust has been fined £175,000 by the ICO. A spreadsheet containing "sensitive" information about the employees' religion and sexuality; as well as names, dates of birth and national insurance numbers was published on to their website. The ICO said that such information was likely to cause substantial damage and/or distress to those who had had their details exposed. What is more, head of enforcement with the ICO, Stephen Eckersley, highlighted that the release of such information put staff at risk of being victims of identity fraud. The breach only came to light when a member of the public reported it 19 weeks after it was posted, the ICO said. The Data Protection Act (DPA) requires organisations to exercise the appropriate organisational measures to eliminate the risk of such sensitive information being used without authorisation. This includes the need to have "effective policies and procedures
Post a Comment
Read more

ICO imposes fine of £250,000 for data protection breach by Scottish council

A Scottish council hired a man known as ‘GS’ to “digitise” its employees’ pension records with no written contract in place between the Scottish council and GS containing the data processing and security requirements specified by the Information Commissioner’s Office (ICO).   Files containing Council employees’ names, addresses, national insurance numbers and, in some cases, individual’s salary and bank account details, had been dumped in a supermarket’s recycling bank and found by a member of the public.   In its civil monetary penalty notice, the ICO said that approximately 8,000 pension records, some of which included details of ill health benefits, had been digitised by GS.  GS would send to the council by standard post unencrypted discs containing the information.  It said that the council was unaware that GS was disposing of the paper records in recycling banks.   The ICO said in its civil monetary notice “ The Commissioner is satisfied that the contravention w
Post a Comment
Read more