Security experts have called for changes to the data protection framework after new research revealed a huge disparity between the number of breaches reported to the ICO and the volume of stolen device incidents handled by police over the past year.
Security and communications firm ViaSat UK submitted Freedom of Information requests to all UK police forces and found that they dealt with at least 13,000 device theft cases between March 2014 and March 2015.
In comparison, data protection watchdog the Information Commisioner’s Office (ICO) investigated 1,089 breaches over the same period.
This could mean thousands of breaches are going unreported, assuming many of the devices stolen had sensitive corporate data on them.
“We must remember that 13,000 thefts is the bare minimum: considering that not all police forces could share this information, the real figure is likely to be many times greater. As a result, thousands of individuals’ private data could well be on borrowed time,” said Chris McIntosh, CEO of ViaSat UK.
“It’s clear that this discrepancy isn’t due to the ICO but the framework it has to operate in. As it stands, the ICO simply doesn’t have the tools and powers it needs to ensure that either all threats are reported, or that risk is minimized.”
He argued that even without breach notification laws, at the very least, data encryption should be made mandatory, with the ICO given the power to police such a rule.
Of those 1,089 breaches reported to the ICO, most came from healthcare (431) and local government (129).
The much-anticipated EU General Data Protection Regulation, which will update and harmonise data protection laws across Europe, is expected to contain a provision mandating notification of breaches over a certain minimum size.
McIntosh told Infosecurity that the regulation is a step in the right direction.
“Mandatory breach notifications are key to encouraging organizations to secure information appropriately; however, it is also important that external compliancy checks are conducted,” he added.
“That said, it is unrealistic to believe that we will ever see anything approaching a 1:1 match between data breaches reported and the actual losses that an organization suffers. Therefore ensuring that breaches cannot place personal information at risk – for example through mandatory encryption or other methods – is a far more realistic goal.”