UK had 277 serious data breaches this year alone

This year has not been a good one in terms of data breaches – from the loss of child benefit details to the loss of top secret information on known terrorists.

It is almost a year ago since 25 million child benefits records were lost by the HMRC but this is really only the tip of the data loss iceberg – since November 2007 the breach total has risen to 277 unique cases.

Speaking at the RSA Conference on data breaches, Information Commissioner, Richard Thomas revealed that the central government has committed 28 breaches, 75 have been found within the NHS and other health services and a whopping 80 within the private sector.

Enforcement has already been taken against HMRC, the Ministry of Defence, the Department of Health, the Foreign and Commonwealth Office, Virgin Media, Skipton Financial Services, Carphone Warehouse, Talk Talk, and Orange.

Yet, although these cases have been investigated, it is unsure just how many have not been reported – some organisations don’t even realise information has been stolen from right under their noses.

We now live in an age where our every move is recorded, this can be used efficiently and securely to provide good services – yet the way it is at present, our personal details are just not safe, and therefore should probably not be collected in the first place.

Thomas explains that there are three main ways for companies to ensure secure data handling – clear thinking and paperwork, getting the technology right and focusing on people and behaviour.

The Information Commissioners Office has made clear for some time that a stronger approach is required to help prevent unacceptable information handling, which seems to have hit home – just this year Parliament decided that the ICO should have the power to impose substantial penalties for deliberate or reckless breaches.

The powers that be are working to make sure that data loss and breaches are made public when absolutely necessary instead of causing widespread panic, with individuals notified only if they are in danger.

Thomas says that, "Put simply, where the risks posed by security breaches are serious, a notification requirement would be too timid. If they are not, it would be excessive."