UK BYOD Security: Should You Report A Security Incident To The Information Commissioner’s Office?.

As Bring Your Own Device programs make their transition from “hot trend” to “accepted business practice” across the world, one cannot escape the feeling that, at some point, companies will hurt their thumbs and find that “something wicked this way comes.” If they decide to engage in BYOD without the right MDM protection for smartphones and tablets like AlertBoot, that is, and end up with a data breach on their hands.

When the time comes, should one report the incident to the appropriate agencies?  In the UK, for example, should an organization voluntarily report a data breach to the Information Commissioner’s Office (ICO)?  The following finding may discourage you from doing so.

84% of ICO Fines are for Self-Reported Incidents

According to, eight out of the ten monetary penalties issued by the ICO in 2012 involved data breaches where the violator reported the incident.  If any were under the impression that the agency that’s charged with enforcing the Data Protection Act of 1998 is soft on organizations that forthrightly come clean, they’re sadly mistaken.

Field Fisher Waterhouse, a law firm that did the analysis, noted that,

84% of fines were for incidents that the organisations themselves had reported, demonstrating that self-reporters “are not given immunity from enforcement”

and expressed concern that “this may deter organisations from owning up to data breaches,” according to  A partner with the firm emailed the website and pointed out that “many controllers will be deterred from coming forward due to fear of fines and the absence of positive incentives” and, indeed, “that businesses [do] not feel obliged to report incidents themselves.”

And while the person quoted above works for a law firm and I don’t, if I may put in my two cents: not only do they not feel obliged, they aren’t even obligated – there’s no legal requirement to do so for most.  The last time I checked, under the law, it’s only a service provider that needs to notify the ICO, with “service provider” defined as:

a provider of any electronic communications service that is provided so as to be available for use by members of the public. This definition will cover, but is not necessarily limited to, telecommunications and internet service providers.

Also included in the above are the NHS Trusts, which is why they often show up on the news section of the ICO’s website and bear the brunt of the monetary penalties.

So, Do You Report Yourself?

If a company or organization is legally required to do so, the answer is a loud, unequivocal “yes.”  But what if you’re not?  The answer is still yes.

The key question is, I guess: how many of data breaches that the ICO has come across in 2012 are self-reported?  If the answer is 84%, then a 84% penalty rate for self-reporting organizations is par for the course.

What the above report by Field Fisher Waterhouse does not take into account is the number of instances where one self-reported a breach and didn’t get penalized financially.  It’s a matter of statistics: we know that 84% of fines in 2012 went to self-reporting entities.  We also know that only a handful of the total are assessed with a penalty.  But is that unnaturally high when you consider the entire pool of data breaches in 2012?

If self-reporting companies represent a mere 50% of the entire pool, then a 84% rate is certainly high.  If they represent 95% of the pool, then 84% is low.  On the other hand, if a total of 15 companies were fined but over 700 breaches came across the ICO’s radar, the percentages would appear meaningless regardless of whether they’re representative of the total pool or not.

Other considerations: were the group of self-reporting companies penalized at a higher or lower rate than the group of companies that didn’t do the reporting?

Remember: there are lies, damned lies, and statistics.

Related Articles and Sites:


Comments (0)

Let us know what you think