UK data protection in the spotlight
So, 28 January 2010 was Data Privacy Day, an event which largely passed without fanfare. But several interesting pieces of information were published to coincide with the event, which indicated that there is still plenty to be done in the enterprise to ensure that increasingly high expectations for data security are met.
Figures from the UK's Information Commissioner's Office reveal that more than 800 security breaches were reported over a two year period, with almost one quarter of these being attributable to "mistakes", and almost a third being the result of thefts. A breakdown of the figures is available here.
According to an enterprise survey, while 80% of organisations are aware of the basics of managing physical records, only 23% have established policies that cover electronic records. This is complicated by "several macro trends" which have made the management of electronic data more complex -- including a sharp growth in electronic information, growing customer concern about how data is protected; the expanding regulatory environment related to data security; and heightened litigation demands.
A separate survey put the cost of data loss at £64 per customer record, of which £29 was attributed to reduced customer trust. While the figures for public sector organisations are slightly lower, it was noted that the costs associated with detecting and escalating a breach, and with alerting citizens and dealing with subsequent enquiries are higher, and the principle contributors to the total costs. Private sector businesses are better at detecting problems, but in contrast have to deal with issues related to increased churn and attracting new customers as a result of breaches.
For companies operating in the UK, the cost of a data breach is about to get much bigger. The country's Information Commissioner will soon be able to impose a penalty of £500,000 on data controllers who "seriously contravene data protection principles". Decisions will be based on a "pragmatic and proportionate approach", based on factors including an organisation's financial resources, sector, size and the severity of the data breach. The highest level of fines will be reserved for cases where "there has been a serious breach that was likely to cause damage or distress and it was either deliberate or negligent and the organisation failed to take reasonable steps to prevent it".
February 12, 2010DannyGovernments are the worst organizations in existence when it comes to data protection methods. They move slow, are often a full generation behind the tech, and when they do approve cutting edge tech, it takes so long to implement and cut through the red tape that the tech has almost always become obsolete before it gets activated.