VEGA Consulting Services Ltd - Securing the Future > In Focus > Improving Data Handling > The cost of data breaches

• Improving Data Handling
  • Making Penetration Testing Work
  • The cost of data breaches
• UK National Security Strategy
• UK Cyber Security Strategy
• Information Superiority
• Information Sharing
• Information Exploitation
• London 2012 Olympic and Paralympic Safety and Security Strategy
• Managing Efficiency
• Connecting to Secure Government Networks
• Acquisition Reform
• Through Life Capability Management (TLCM)
• Business Continuity Planning and Management
• Addressing Sustainability

 

The Cost of Data Breaches

A county council and an employment services company became the first organisations to be punished for data breaches under financial penalties implemented by the Information Commissioner’s Office in April 2010. With the two fines totalling £160,000, VEGA asks just how much public, private and voluntary sector bodies have considered the financial and reputational implications of data breaches, as part of the Data Protection Act.

Following a series of high profile data lapses, especially by government departments and some of their suppliers, the final report on Data Handling Procedures in Government was published in June 2008. One of its recommendations was the introduction of ‘new rules on the use of protective measures, such as encryption and penetration testing of systems’. In January 2010, the Information Commissioner’s Office’s (ICO) announced new plans to impose fines of up to £500,000 for data breaches, add a whole new impetus to the Government’s drive to address this issue.

 

Data protection has never been more important

Detailing the new penalties, the Information Commissioner explained: “Getting data protection right has never been more important than it is today. As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details. When things go wrong, a security breach can cause real harm and great distress to thousands of people. These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act. I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.”

 

First fines issued for data breaches

Just seven months after coming into force, the first penalties of £100,000 and £60,000 were issued respectively to Hertfordshire County Council and A4e, an employment services company.

 

Hertfordshire County Council was fined for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. The first case, involving child sexual abuse, was before the courts, and the second involved details of care proceedings. Meanwhile, A4e was punished for losing an unencrypted laptop which contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.

 

In issuing the fines, the Information Commissioner, Christopher Graham, said: “It is difficult to imagine information more sensitive than that relating to a child sex abuse case. I am concerned at this breach – not least because the local authority allowed it to happen twice within two weeks. The laptop theft, while less shocking, also warranted nothing less than a monetary penalty as thousands of people’s privacy was potentially compromised by the company’s failure to take the simple step of encrypting the data.

 

“These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds.”

 

In February 2011, fines of £80,000 and £70,000 were issued to Ealing and Hounslow Councils respectively, for serious breaches of the Data Protection Act, after two unencrypted laptops containing sensitive personal information of around 1,700 individuals were stolen from an employee's home.

 

Implementing and enforcing data handling measures

As indicated by the Information Commissioner, the 21st century has led to the digitisation of so many elements of our lives. As more information is shared, there is greater need for effective information security and assurance. Therefore, organisations must demonstrate their ability to secure the integrity of their data, and the way it is stored and distributed, as well as comply with regulatory specifications detailed in the Data Protection Act and elsewhere.

 

Understanding the real cost of data breaches

Although its first two fines were significant, the ICO has promised to take a “pragmatic and proportionate approach to issuing an organisation with a monetary penalty” based on elements including financial resources, sector, size and the severity of the data breach. However, as also suggested by the ICO, organisations must start to realise the wider (and more long term) financial implications of a data breach than the cost of a single (albeit potentially substantial) one-off fine.

 

When an individual is unfortunate to lose personal and financial details, it may render them liable to identity theft, blackmail, social pressure, disgrace, and humiliation. However, there are relatively easy and quick steps they can take to minimise the damage. The complexity of the information is likely to only extend to them or maybe their immediate family. In addition, they probably only have to answer to their own guilty conscience and the indignation of a rather put out partner! The cost of losing protectively marked information for a sizeable portion of a nation’s population, or of an international client base, is quite a different matter.

 

A financial rap on the knuckles is likely to fade into insignificance when a company has to cope with the consequences of the resulting damage to its brand and reputation. Just how much is the bottom line affected by a negative news story that sees customers lose confidence in an organisation’s ability to look after their most personal information? How much would one foresee spending on public relations campaigns to try and re-establish the brand credibility?

 

As well as any PR investment, organisations should also consider the financial implications to everyday operations. It is fair to assume that a data breach would affect productivity with resource diverted away from core responsibilities to handle the resulting increased client enquiries, media attention and supplier concerns.

 

Finally, in trying to contain the resulting bad publicity, an organisation would be commercially and legally bound to implement a thorough security review. This would almost certainly lead to changes in policy, strategy and technology to demonstrate all had been done to ensure no further data breaches.

 

Financial impacts greater than fines

The above considerations will have a significant financial impact on any organisation. At a time of extreme global financial pressures, these wholly avoidable commercial disruptions have the potential to impact the profitability of an organisation and its stakeholders, leaving aside the cost of intervention by the ICO.

 

Ultimately, the extent to which the total consequences of a high profile data breach are considered, as part of an organisation’s existing risk management planning, is unknown. However, while it is unlikely that the ‘true’ cost of data breaches is ever fully exposed, it is safe to assume that it dwarfs the cost of the threatened ICO fines.

 

More information about how VEGA can address and resolve data handling issues

 

Contact VEGA about our data handling services