Data Protection Commissioner sees rise in reported data breaches

30 May 2011

Reported data breaches to the Data Protection Commissioner rose by 350pc in 2010, following the introduction of a more stringent code of practice in the middle of last year.

Publishing his annual report earlier today, Data Protection Commissioner Billy Hawkes said last year had seen a “dramatic increase in the number and significance of organisations that have lost personal data”. The report shows 410 data security breach incidents from 123 organisations were reported to the DPC in 2010, up from 119 reports from 86 organisations in 2009.

“It can be assumed that the sudden increase reflects the more exacting demands placed on organisations by the code of practice rather than an increase in the absolute number of data breaches,” the report said. The figures show the level of reported breaches spiked after the code was introduced last July. At the press conference this morning, the DPC confirmed early signs suggest this year’s level of breaches will be similar to last year’s.

Irish organisations and data breaches

Hawkes said the actual number of data breaches involving Irish organisations is higher than even the report indicates. “We would expect that there are more data breaches than are reported to us, but we’re happy there’s an increased consciousness of the significance of avoiding data breaches. That’s the major impact we seek from the report,” he said.

There has been a rise in the number of data breaches through compromised websites, but Hawkes said there had been fewer cases of breaches resulting from lost or stolen laptops because of more widespread use of encryption technology. “Large companies, in particular, seem to have got a grip on this and we would come down heavily on those that are ignoring appropriate security measures,” he said.

The full report covers several incidents from last year, including the compromise of a GAA database which contained the names and addresses of about 500,000 members and dates of birth for 289,000 members along with 107,000 mobile phone records.

Currently, the DPC is limited to naming organisations that have fallen foul of the regulations in its annual report only, but a recommendation made by a working group set up under the previous Minister for Justice, Equality and Law Reform is that it would have the power to publish special reports throughout the year. “We would welcome that,” said the deputy commissioner Gary Davis.

Case studies

The report contains case studies of several investigations, including prosecutions of Ice Communications for failing to comply with legal notices and of three companies for sending unsolicited marketing text messages. Two other cases saw Fairco and Pure Telecom prosecuted for calling phone numbers listed on the opt-out register.

As of this week, the DPC will have the power to prosecute companies in the telecoms sector if they fail to provide adequate protection for personal data. Until now, his power has only extended to punishing unsolicited marketing.

As with all organisations in the public sector, the DPC’s office was subject to budget reductions of 20pc last year, giving the agency €1.45m to cover its running costs.

The DPC also noted with concern the increasing use of CCTV and biometrics technology in inappropriate places. The report referred to CCTV use in schools in counties Mayo and Kildare. “Other use, for example in schools, needs very convincing justification,” said Hawkes.

Gordon Smith was a contributor to Silicon Republic