UK Data Encryption: FOI Request Finds ICO Fines Lower, Breach Incidents Higher.

A freedom of information request, filed by ViaSat for data held by the UK’s Information Commissioner’s Office (ICO), has led to the conclusion that data breach incidents have grown in the British Isles in the past year by 37%.  The same data shows that monetary penalties by the ICO have fallen in the same period.  This has got the folks over at wondering if the UK is regressing when it comes to data security.

Personally, I’m not sure that it is, at least not from a digital data security standpoint: only 8% of data breaches are attributed to lost or stolen hardware.  I don’t know whether this figure excludes data that was protected with encryption software.  Regardless, it’s an impressive feat considering that in other developed countries, the rates are much, much higher.

Different Laws, Different Definitions of a Data Breach

Different countries (and – depending on the country – different counties, states, prefectures, and other regional government bodies) could have their own definition of what constitutes a data breach.

While I haven’t found any UK legislation that specifically states that the loss of encrypted data does not constitute an information security breach, the ICO has brought numerous actions against organizations that didn’t use encryption.  The writing is very clear: in the UK, the loss of encrypted data is not a data breach.  That is, assuming the password to accessing the secured data wasn’t lost in tandem.

This differs markedly from, say, New York’s position on encrypted data.  Under state law, even encrypted data is classified as a data breach.  In Massachusetts and Nevada, it’s not.  Neither is it in California.  Indeed, most US states have a safe harbor provision for encrypted data.  Three have no provisions whatsoever – they don’t have a data security or privacy law in their books – and some have made the terrible decision to accept the use of password-protection as proper data security.

8%?  That’s Not Bad at All

We could discuss about different laws until the cows come home, but the really interesting thing about ViaSat’s conclusion is this:

The most common form of data breach, at 48 per cent, involved the sending of information to the wrong recipient. Lost or stolen paperwork followed, making up 16 per cent of reports, while lost or stolen hardware accounted for 8 per cent.

The data breach rate for hardware is extremely low.  In the US, and in most post-industrial countries, the rates tend to be not only in the double-digits, but sometimes well over 20%.  That the UK is seeing an 8% rate can only mean two things:  (1) they’ve succeeded in convincing people to use proper security on their hardware or (2) people are not reporting their digital data breaches to the ICO.  The latter would be very puzzling, though, seeing how they do report it for paper documents.  Why report one but not the other?

Also, consider this: if the 8% figure includes incidences where data encryption software was used, then the actual breach rate is even lower.  Regardless, it’s low overall.

That’s an enviable number, regardless of how you slice it.

11% Increase in Reported Breaches

Also enviable?  The 11% increase in breaches reported year-over-year.  Yeah, ideally we want to see the number decrease – heck, we want to see the number at 0%.  But a growth rate that’s barely broken the single digits is not so bad.

Such growth could be attributed to something other than increased security events.  For example, perhaps people are now more cognizant of the fact that lost paperwork, or that “sending information” to the wrong person (I get the feeling that most of these are instances of sending email to the wrong address), also constitutes a reportable security incident.

Overall, it seems that the ICO’s past actions are paying dividends.  Let’s not forget what the ICO has said in the past: that they use monetary fines in the most egregious offenses, not only as form of punishment but also as a way of signaling to others what is not acceptable.

Twice Bitten, Four Times Shy?

Also to be taken into consideration is that, in 2013, the ICO lost a couple of high-profile cases involving the handing out of monetary penalties, as detailed in  Of course, there were also plenty of appeals where the courts held the ICO’s hand as well, but once they put the kibosh on one aspect of your operations, you tend to become more circumspect.

Related Articles and Sites:

Comments (0)

Let us know what you think