Drop in data breach fines despite uptick in security leaks

The number of data breaches reported to the Information Commissioner's Office (ICO) has increased over the past year, while the penalties issued by the data protection watchdog have more than halved.

That's according to information obtained by network security vendor ViaSat through a Freedom of Information (FoI) request.

The response to the FoI revealed an 11 per cent increase in reported data breaches to the regulatory body between the March 2013 and March 2014, compared to the same period the previous year.

The health sector had the dubious honour of leading the pack for the most-reported breaches, with 37 per cent of the total. Local government and education came second and third, respectively, with 15 and 8 per cent of the share.

The most common form of data breach, at 48 per cent, involved the sending of information to the wrong recipient. Lost or stolen paperwork followed, making up 16 per cent of reports, while lost or stolen hardware accounted for 8 per cent.

A total of 20 fines worth 2,610,000 were imposed by the ICO between 2012 and 2013, while just 12 fines totalling 1,230,000 were issued between 2013 and 2014. This equates to a 53 per cent drop.

Despite the increase in the number of security breaches reported to the body, it chose to hand out fewer monetary penalties.

Chris McIntosh, CEO of ViaSat, said the reduced numbers could be down to a number of factors, including whether the ICO is not fully investigating less high-profile and high-severity breaches. "[There is] still a huge amount of potentially sensitive data in the wrong hands," he added.

In response, an ICO spokesperson told IT Pro: "Civil monetary penalties are one of a range of formal enforcement actions available to the Information Commissioner's Office, alongside undertakings, legal enforcement notices and prosecutions.

"Data breaches are assessed on a case-by-case basis and we issue fines accordingly," they added.