ICO to CEOs: Step Up

ICO to CEOs: Step Up

October 29th, 2008

The Information Commissioner’s Office (ICO) in the UK, with Information Commissioner Richard Thomas, have made a public statement calling on CEOs to take responsibility for data protection safeguards.

The Information Commissioner, Richard Thomas, announced that the number of data breaches reported since November 2007 has reached 277. November 2007 marks when HMRC lost 25 million child benefit records (story here). Of those 277 breaches, 28 are attributed to the central government. The ICO is investigating 30 of the most serious breaches of this past year.

In a speech delivered to the RSA Conference, Commissioner Robert Thomas talked about the state of data security, or “data insecurity“, he adds. The HMRC data breach of 25 million child benefit records merely brought the existing data security issues to public and political attention, Thomas notes.

“The number of breaches brought to our attention is serious and worrying. I recognise that some breaches are being discovered because of improved checks and audits as a welcome result of taking data security more seriously. More laptops have now been encrypted and thousands of staff have been trained. But the number of breaches notified to us must still be well short of the total.”

Arguing that information can be a “toxic liability” as well as an asset, Robert Thomas challenges CEOs to ensure that they are minimizing the amount of data they hold and that appropriate data security measures are being taken. He says this responsibility lies with the CEO, not with the IT department or other staff.

“It’s no good saying the IT boys are looking after this, it’s no good saying the lawyers are sorting out the policies, it’s no good saying human resources are doing the training – it’s right across the organisation.”

Richard Thomas notes that personal information is the lifeblood of both government and business, but that more responsibility needs to be taken to assure that data remains safe. The first step in that is to understand the risks being faced associated with the vast centralized stores of data and its portability across networks and devices.

The ICO continues to offer advice on data security, from the encryption of laptops to improved data access policies. As noted several times by the ICO in their report, the actual figures for data breaches probably are much higher than 277. Currently there is no legal obligation to report data losses in the UK, and many data breaches may go undetected.

Out of the 277 reported breaches, 67 were due to the loss or theft of a computer or laptop. The National Health Service (NHS), the worst breach offender so far for 2008 with 75 breaches, has had 27 of those breaches the result of lost or stolen computers. Learn how Computrace can help provide multi-layered security solutions for your computers here.

Further Reading: