ViaSat raps ICO for going easy on private sector
Vendor claims just one private sector firm got fined by the Information Commissioner's Office last year.
Digital comms vendor ViaSat UK has hit out at the Information Commissioner's Office (ICO) for not taking a hard enough line with private sector firms that breach the Data Protection Act (DPA).
The firm submitted a Freedom of Information Act request to the ICO, asking for details about the data breaches that took place between 22 March 2011 and 17 February 2012.
The results revealed that 730 self-reported breaches occurred during that period, and 297 were resolved.
With new EU data protection laws coming into effect in 2016, both the private and public sectors must take the utmost care over data security Six of these 297 cases resulted in financial penalties being issued, but only one of these settlements involved a private sector firm, which was ACS:Law.
Chris McIntosh, chief executive of ViaSat UK, said, because the ICO can only act on self-reported data breaches, the actual number of private sector incidents could be much higher.
"While the ICO has shown great progress in ensuring the public sector regains control over data security practices, the private sector still has a relatively free rein," he said.
"As the public increasingly trusts the private sector with its information, we need to ensure this [data] is managed responsibly, especially as the private sector reported the most thefts of data or hardware in the past year."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
ViaSat's findings also revealed that 281 (38 per cent) of the 730 self-reported breaches resulted from emails and documents being sent to people in error. Local government accounted for 53 per cent of these types of breaches.
Lost hardware was cited as the cause of 108 breaches. Out of these, 37 per cent involved the NHS.
"With new data protection laws from the EU coming into effect in 2016, both the private and public sectors must take the utmost care over data security," added McIntosh.
"The ICO [also] needs to be sure the private sector is aware of all its breaches and undertakes audits and training."
In a statement to IT Pro, the ICO said financial penalties are just one "of a range of options" it can use against non-compliant private sector firms.
"We can only issue civil monetary penalties (CMP) where the breach has caused substantial damage or distress to individuals or has the potential to do so, and in instances where the organisation should have been aware of the risk and failed to prevent it," said the ICO statement.
"We will always consider a CMP whenever these criteria are met, regardless of the sector the organisation falls into," it added.