Advisers may be failing to accurately detect and report data breaches, experts warn, as new figures reveal just 42 incidents have been reported in the past two years.
A Freedom of Information request submitted by Money Marketing shows 42 potential breaches of the Data Protection Act have been reported by advisers to the Information Commissioner’s Office in the past two years.
A total of 62,940 data subjects were affected by the breaches. In the most serious incidents, 22,292 people were affected by a data disclosure and 17,531 people were affected by a security breach.
The majority of incidents either relate to disclosure or security issues, including hacking. Four of the incidents involve paperwork or hardware that has been lost, stolen or disposed of incorrectly.
The ICO took no disciplinary action in any of the cases. In six cases, it agreed an action plan with the firm or gave compliance advice.
Protectmydata.co.uk director Gary Williams describes the number of reported breaches as “extremely low”.
He says: “How many incidents went unreported, due to either a lack of awareness of the reporting criteria or firms adopting a head-in-the-sand approach?
“Of the incidents which were reported, 26 involved the data of 100 or fewer subjects. Unless the data compromised was especially sensitive, there may not have been a need to report these cases, again suggesting the need for education on the reporting requirements.
“There is broadly a 50/50 split between security incidents and human error, which reinforces that good IT security is as much a people issue as a technology one, and that regular training is as important as a well defended system.”
NCC Group technical director Ollie Whitehouse says: “The numbers seem low given the size of the sector. That is likely to be down to a natural reluctance to disclose breaches, especially by smaller firms, and the fact that many small firms have neither the skills nor the technology to reliably detect a breach.
“The lack of disciplinary action is surprising, particularly for the breaches which affected large numbers of subjects.”