Half of the 28 private sector security breaches were by
financial services companies.
The problem of the loss of personal information gained in
profile in the aftermath of HMRC's loss of two discs containing the
entire register of people claiming child benefit last year. The
information on the discs included names addresses and banking
details of 25 million people, leading to widespread fears of
identity theft.
Since then, though, organisations in the public, private and
charity sectors have all lost data in circumstances that led to
them being reported to the Information Commissioner's Office
(ICO).
"It is particularly disappointing that the HMRC breaches have
not prevented other unacceptable security breaches from occurring,"
said Information Commissioner Richard Thomas. "The government,
banks and other organisations need to regain the public’s trust by
being far more careful with people’s personal information."
The cases which have been reported to the ICO include the loss
of whole computers, USB memory sticks containing data and computer
discs containing unencrypted data. Paper records have also gone
missing, and the information on all these formats has included
financial records, health records and other personal
information.
Information has been stolen, but it has also been lost in
transit, either by post or with courier services.
Information has only so far been recovered in three of these
cases. In 16 of them the ICO has ordered a change to data
management processes, including ordering the encryption of data in
the future.
Of the 62 breaches in the public sector a third involved central
government and its agencies and a fifth involved the NHS.
The ICO has published new guidance on how to deal with data
security breaches.
"Once again I urge business and public sector leaders to make
data protection a priority in their organisation," said Thomas.
"The level of understanding about data protection and the need to
safeguard people’s personal information have no doubt increased and
I am encouraged that more chief executives and permanent
secretaries appear to be taking data protection more seriously, but
the evidence shows that more must be done to eradicate inexcusable
security breaches."
Most US states have security breach notification laws. A
significant number of breaches have come to light because of the
laws. But at present there is no general rule to notify security
breaches in the EU. The European Commission announced plans last
year to introduce such a requirement for telecoms companies.
Earlier this month the privacy watchdog for EU institutions, the
European Data Protection Supervisor (EDPS), called for that
proposal to extend to banks, businesses and medical bodies.
