Reported cyber security incidents involving UK organisations increased by more than 1,000 per cent over the past five years, according to official figures obtained in August by storage company Imation. In 2011 alone, there were 207 serious security breaches in the NHS, 44 in central government, and 277 across the private sector.
So is the UK in the middle of a data security crisis? Deputy Information Commissioner David Smith thinks not. “I don’t think you can necessarily say that more reports mean more breaches. It’s just that awareness of the need to report [has increased]," he said.
This awareness was given a major boost in 2010 after the Information Commissioner’s Office (ICO) was given the power to impose fines of up to £500,000 on organisations that contravene the Data Protection Act. The biggest fine to date – £375,000 – was issued to Brighton and Sussex General Hospital, which allowed hard drives containing highly confidential sexual health data to end up on eBay.
But while fines may have succeeded in bringing the issue of information security higher up the boardroom agenda, the ICO appears to be hungry for more powers, particularly in light of moves in Europe to introduce tough new data protection regulations as early as 2014.
“We’ve been pushing for custodial sentences for a long time,” Smith said. “The government has resisted for a number of reasons. Partly, as a general policy they don’t believe in creating more and more crimes that could carry prison sentences, particularly under the previous justice secretary [Kenneth Clarke]. And then Leveson is looking at this as part of his inquiry [into press practices and ethics], so let’s see how that goes. We do have a new secretary of state for justice [Chris Grayling] who may have a slightly different take on this.”
Smith also revealed that the ICO is “making the case to extend” its powers in other areas, to enable it to “come and check up on local government and health bodies”. In general, the ICO must get permission from an organisation before it can audit it. “We don’t usually have the power to say “Let us in, we’ve come to check on you’,” said Smith.