In today’s world there are more and more organisations that are becoming heavily reliant on their data. Naturally, with this increasing amount of important data comes an increasing responsibility!
So what are the most common ways in which important data ends up in the wrong hands?
Both public and private sector organisations are investing heavily on protecting their data from external breaches. But what steps are being put in place to mitigate the risk of an internal breach? And what happens when they do have a breach?
For public sector organisations, the former Cabinet Secretary Gus O’Donnell made it mandatory for all government departments to notify the ICO after an incident that has lead to compromised data and also detail all breaches in their annual reports outlining steps they are taking to mitigate the risk of a future breach.
However in the private sector it is a completely different story.
It has been outlined that in a serious data breach these organisations should inform the ICO as a matter of good practice, nonetheless they are under no legal obligation to do so. This gives organisations complete anonymity and could leave many customers completely naive to the fact that their personal details could be in the wrong hands.
This lack of obligation for organisations to come out in public and declare a data breach must come as a relief for some, but are we giving these organisations a scapegoat for inadequate security practices and breeding a potentially harmful culture amongst staff that isn’t passably aware of how to handle important data?
In theory, enforcing an organisation to come out publicly and declare a data breach should make companies sit up, take stock and re-evaluate their Compliance and Policy Management procedures. This should in turn, increase the uptake of best practice behaviours around data security and allow the relevant people to invest in an appropriate Information Security Management System (ISMS) which meets ISO 27001 standards.
It has been law in California for private companies to declare data breaches since 2002, which led to a further 40 states following suit. This ensures that private organisations invest in the right areas and train their staff to the highest levels, ultimately decreasing their chances of any form of data breach.
In today’s world, a data breach doesn’t just come with the financial implications; it’s the reputational damage which can cause permanent harm to a company.
The UK is moving in the right direction, with discussions of a data breach disclosure law, but the question is – Are they moving quickly enough?