According to a new press release by the UK’s Information Commissioner’s Office (ICO), the number of data security breaches reported by English companies have increased by 58% year-over-year. Greater awareness is credited with the surprising increase; apparently, however, greater awareness doesn’t directly translate to greater engagement in data security practices such as deploying laptop encryption software like AlertBoot.
In the current 2011/2012 period, 136 data breaches were reported to the ICO by the private sector, an increase of 58% when compared to the 86 breaches reported in the same period the year before.
The increase is being attributed not to a sudden spike in data breaches but to greater awareness by companies when it comes to the Data Protection Act (DPA). Which is weird, because if they were truly aware of the DPA, companies would know that they’re not required to report data breaches to the ICO. Whether this is a sign of new-found corporate responsibility or companies not doing a thorough job of combing through the DPA…that’s up to you to decide.
33% are aware that “personal information is processed for limited purposes” (increase of 5% from last period)
32% are aware that “personal information is not kept for longer than necessary” (increase of 8% from last period)
Now, the above two are actually requirements under the DPA. Requirements. Reporting to the ICO? Not a requirement. The latter shows an increase of 58% while the former is in the single digits?
I don’t think “awareness” quite explains it. Or, does it?
Private vs. Public
The problem with statistics is that results are ultimately affected by sampling. If we are to further break down the above stats by public vs. private organizations:
37% are aware that “personal information is processed for limited purposes” (decrease of 7% from last period)
38% are aware that “personal information is not kept for longer than necessary” (decrease of 2% from last period)
29% are aware that “personal information is processed for limited purposes” (increase of 17% from last period)
25% are aware that “personal information is not kept for longer than necessary” (increase of 17% from last period)
A 17% increase in awareness is nothing to sneeze at; however, it does pale in comparison to the 58% increase in reported breaches. Saying that companies are still not aware of what the DPA requires is, I think, not an erroneous statement. Obviously, there needs to be more of an effort to increase the private sectors’ awareness in the law.
For now, it appears that most people are reading the news and making a “data breach–ICO–notification” connection, as opposed to actively seeking information on what the Data Protection Act requires. But, hey, that’s better than nothing…or less than nothing
Public sector organizations have shown a decrease in awareness. Pfft. And one wonders why the ICO is mostly fining public sector organizations….
Related Articles and Sites: