Recent research suggests that financial services have been a major perpetrator of Data Protection breaches over recent years with a disturbing rise in sensitive information being disclosed to the wrong recipients in many key industries. “Convenience, not security, continues to be key when information is being shared with third parties, regardless of the risks” according to the conclusions of a report published by data software company, Engress.
The findings are based on a data information request from the Information Commissioner’s Office (ICO) and its report provide some concerning results for British businesses. Whilst lenders. insurance providers and financial advisers, do not perform well - worryingly, they are not alone.
Despite the growing emphasis on data protection, which has come as a result of many high-profile losses and breaches, there has been a disturbing rise in the number of breaches in many key industries.
Public Sector and healthcare, primarily NHS, organisations have experienced the greatest number of data breaches between April to June 2013 and April to June 2014. With a 101% rise in breaches in the period from 91 to 183, healthcare organisations top the list for the number reported, followed by local government and education organisations. Central government also experienced a growth of over one-third (38%).
However, the Private Sector has also experienced an alarming rise in data breaches. The financial industry is one of the hardest hit, with an increase of 200% in insurance, 200% seen for lenders and 44% for financial advisers, and a 200% rise for pension providers.
Concerning increases have also been seen by the housing sector (67%), telecoms (150%) and recruitment (300%), with ‘general business’ experiencing a 143% increase.
These industries have seen a notable increases in fines for data protection violations.
In August 2014, the ICO even sounded the alarm on Barristers and Solicitors warning them to keep personal information secure, especially paper files. This follows a number of data breaches reported to the ICO involving the legal profession.
The ICO can serve a monetary penalty of up to £500,000 for a serious breach of the Data Protection Act provided the incident had the potential to cause substantial damage or substantial distress to affected individuals. In most cases these penalties are issued to companies or public authorities, but barristers and solicitors are generally classed as data controllers in their own right and are therefore legally responsible for the personal information they process.
Between May and July 2014 alone, 15 incidents involving members of the legal profession were reported to the ICO. The information handled by barristers and solicitors is often very sensitive. This means that the damage caused by a data breach could meet the statutory threshold for issuing a financial penalty. Legal professionals will also often carry around large quantities of information in folders or files when taking them to or from court, and may store them at home. This can increase the risk of a data breach.
Information Commissioner, Christopher Graham, said:
“The number of breaches reported by barristers and solicitors may not seem that high, but given the sensitive information they handle, and the fact that it is often held in paper files rather than secured by any sort of encryption, that number is troubling. It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.
The fact is many data breaches can be avoided. It requires tight processes and a commitment to ensure data safety. Whilst many companies undertake sporadic training on data protection, many companies fail to ensure appropriate systems are in place to ensure data integrity.
The role of employees has been deemed alarming. “Only 7% of breaches for the period occurred as a result of technical failings,” Egress reported. “The remaining 93% were down to human error, poor processes and systems in place, and lack of care when handling data.”
Fines and Self Reporting
Fines have been issued totalling some £6.7m since 2010.
Public sector and private companies are obliged to report a data breach although it is voluntarily. Firms that admit a serious breach have been anonymised by the ICO so as not to deter self-reporting in the future, however there is growing evidence that private companies are 80% less likely to report data breaches than public bodies, given the extent of the fines.
A staggering £600,000 of the total pay outs were due to information being emailed to the incorrect recipient, £320,000 attributed to using the wrong fax number and £170,000 for postal address inaccuracies.
Tony Pepper Chief Executive of Engress told Mortgage Introducer on Friday that “… a continued reliance on fax and post demonstrates a concerning lack of care and control taken with sensitive documents. He added: "Organisations need to make data protection a priority.
It is clear that much of the information we handle in financial services, such as client passports, utility bill, bank statements and wage slips may not be of a physical value in their own right, but the highly sensitive information they possess is dangerous if placed in the wrong hands. Measures such as online data encryption, the use of professional courier services rather than postal system and proper long term record keeping and record handling, all serve to mitigate the inherent risk.
The issue of data safety, is becoming more significant for businesses, with new European proposals being discussed at the European parliament. It is suggested that fines have to significantly increase to ensure data protection is more on the Board agenda for most companies.
Where businesses do not comply or are complacent, the European Commission has suggested fines of up to 5% of annual worldwide turnover, or €100m.
The possibility has also been mooted for individuals and consumer associations, acting in the public interest, to bring claims for non-compliance. Capital Fortune welcomes this idea and is about to take its own stance against an international courier company, which deny losing highly sensitive client information belonging to the Company’s clients.
On June 12, 2014, the French Data Protection Authority (the “CNIL”) issued a public warning to one such courier company for failure to limit access to client personal data via the Internet. The files contained personal data, including client names, addresses, phone numbers and email addresses as well as specific information relating to deliveries.
The same accident prone company was involved in a lengthy scramble during which officials searched to find a missing diplomatic bag containing DNA samples from Afghanistan. The delivery company who handed the samples, along with bank details, medical records and passport application forms, were meant to be flown from Kabul to the UK.
It was only after six months of delays and worldwide searches, that the Foreign Office finally contacted all the people affected, telling them the items were missing. Meanwhile, the courier firm failed to apologise over the incident.
A British Embassy official in Kabul said: ‘It would have been nice to have received something…to forward on to the senders in the way of an apology but we’ve had nothing.’
The Financial Industry
Lenders who incurred repeat security breaches in 2013 included Santander – which was found unlikely to have complied with the act 15 times.
The ICO was made aware of 199 separate concerns within the lender sector throughout the year. Lloyds TSB, which then split into Lloyds Banking, featured on the offender’s “concern” list, as well as NatWest, Royal Bank of Scotland, HBOS, Aviva, Nationwide Building Society and Yorkshire Building Society.
Additionally, some 36 further financial services firms self-reported serious data breaches and were issued investigated by the ICO enforcement team, but were granted anonymity.
Central government departments were also listed as “concerns”. The Department for Work and Pensions (DWP), for example, was deemed “unlikely” to have complied with data protection law on 20 separate occasions.
Further, the ICO found HMRC was also likely to have breached the act on 15 occasions, the Home Office five times, the Ministry of Defence (MoD) three times and the Ministry of Justice (MoJ) six times.
Government departments were served 37 enforcement notices in total during the year.
Some 314 cases amongst local and central government were “resolved informally” and seven further councils were required by court to take action, including Mansfield, Luton Borough Council – on two occasions - and Royal Borough of Windsor and Maidenhead.
There were 12 local government cases were either a court order or enforcement was served.
Police departments were tagged as concerns on 33 separate occasions. Potential criminal breaches were discovered on three occasions and enforcement teams investigated departments 61 times throughout the year.
Retail and Internet Firms
Almost 20 internet companies were subject to enforcements or possible criminal investigation following serious breaches.
There were 24 serious breaches in the retail sector, including UK grocery store Asda after it published personal data online and an employee lost a USB with confidential information.
Insurance and Utility Providers
Almost 40 insurance providers were listed as a concern by the ICO and a further 24 were serious enough to be investigated by the enforcement team. In five cases this included a potential criminal breach.
Meanwhile, there were seven instances where utility companies were investigated for potential criminal breaches, all of which were informally resolved. One instance included hacking of a database and another included an error in a mail-merge which revealed personal data of its customers.
There is no doubt these fines will make data protection a boardroom issue and will require companies to carefully review what they need to do to comply. Data loss and breaches can damage business reputation, as well as cause untold stress to the individuals involved.
Ross Brewer, vice president and managing director for international markets, LogRhythm, commented: "The ICO seems to be taking data security more seriously and organisations will have no choice but to take heed if they wish to avoid the financial and reputational repercussions of a breach. With the growing number of fines that the ICO is dishing out, it will be much easier for the public to identify those organisations that are being irresponsible with their data.”