The Information Commissioner’s Office (ICO) in the UK has released a compendium of numbers for data breaches from April 2013 to December 2013. While laptop disk encryption and similar crypto technologies are the best way to prevent data breaches in the US (based on public records like HIPAA’s “Wall of Shame”), it looks like the UK is more prone to acts of maladroitness, and hence requires a solution that relies less on silicon chips and lines of code.
Health Sector Most Data Breach Prone
The data tracks 43 “sectors” that include health, insurance, housing, local government, estate agents, telecoms, etc. Of the 43, the health sector leads the way in terms of reported data breaches, with 160 incidents in Q4 of 2013. The local government and education sector come in respective second and third, with 55 and 36 data breaches each.
Ten sectors had zero data breaches in Q4.
The top three data breach incidents were “disclosed in error” (hence my “maladroitness” comment in the introduction) followed by “lost or stolen paperwork” and “other principle 7 incident.” (See this page for more information on principle 7).
Computer loss or theft comes at fourth place, barely behind principle 7 incidents. Disclosed in error accounts for nearly 50% of all incidents. The top three account for nearly 70% of all incidents (as you would expect from a Pareto distribution).
This contrasts heavily with data breach incidents in the US, where the loss of digital devices that store data (laptops, external hard drives, flash drives, backup tapes, etc.) tend to account for most data breaches. Indeed, online hacking incidents have recently surpassed the loss and theft of digital devices in terms of sheer individuals affected, yet in the ICO’s summary “technical security failing (including hacking)” comes in at a lowly six place.
What could account for this disparity between the US and the UK? Could the answer lie in the UK having and using better digital security than the US? Perhaps the answer lies in cultural factors.
For example, Japan is supposedly a country where the personal computer revolution never happened (at least not in the way it did in the US) because cellphones dominate the scene. Hence, PCs are not as prevalent in the office as they would be in the US. From here on, it’s a matter of statistics: if you don’t have PCs to begin with, then there’s very little need for external drives, flash drives, and backup tapes. Ultimately, the number of data breaches attributed to digital devices can only be lower.
While I do not know what the situation is like in the UK, I imagine that cultural factors could account for the discrepancy (lesser use of digital devices; better adherence to computer usage polices and the law; people not reporting data breaches; etc).
This just points towards each country needing to approach their data security needs in their own unique way.
(Of course, sometimes it makes sense to follow another nation’s tactics and strategies. Most experts agree that Target’s Thanksgiving Day data breach would have been impossible — or limited — had a similar “chip and PIN” credit card been the norm in the US as it is currently in the UK.
Related Articles and Sites: