Low awareness of data protection rules as breaches rise

18 Feb 2011

One-fifth of Irish businesses had a data breach in the past 12 months and many more aren’t aware of their requirements under data protection rules, according to a new survey by the Irish Computer Society.

The group’s Data Protection Attitudes and Practices Survey 2011 polled 286 people across IT and management roles. The survey was published in advance of the 3rd Annual ICS Data Protection Conference 2011 next week. Also among the findings was that almost half of respondents were not aware of new rules regarding the mandatory reporting of data breaches to the Data Protection Commissioner.

Fewer than half of those surveyed felt that senior management give data protection rights and responsibilities due consideration. “Senior management ignore data security issues,” one respondent commented. Only a third of respondents believe that all members of staff know who is responsible for data protection in their organisation. Even where a procedure is in place to deal with a data breach, just 15.2pc of respondents were confident that this policy is known by all staff.

More than half of those surveyed felt they had not received sufficient data protection training while one in five respondents were not confident they understand their responsibilities under the Data Protection Act.

Policies regarding data breaches

Only 36pc of respondents felt their organisation has a formal procedure in place following a data breach. The survey also raised the issue of cost of compliance with data protection legislation. One respondent commented, “we are paranoid about security, but know most think it is cheaper not to be.”

While one in seven respondents had suffered a personal data breach in the past 12 months, more than two-thirds of respondents were not confident they would be informed of a data breach involving their personal information.

A culture of secrecy still seems to surround breaches, if some respondents’ comments are to be believed. One spoke of an attitude where “those who come out and report get in trouble, so there’s no motivation to report” while another claimed “most organisations cover up data breaches”. Another comment was that senior management places no great weight on data security. “People who report data breaches are seen as a nuisance or worse,” the person said.

Data security in the news

Hugh Jones, data protection specialist at Longstone Management and an associate tutor with the ICS, said he was disappointed at the low awareness levels given the recent flurry of DP-related headlines, as well as the Data Protection Commissioner’s own campaign to promote awareness and compliance in the lead-up to the Election campaign.

He doesn’t believe data protection is suffering because business priorities are focused elsewhere in the current economic climate. “I don’t think this explains it. Certainly, economic conditions are to the fore, but the stats indicate a complacency; ie, someone else – usually in IT – is looking after it.”

Jones also said the reported figures of data breaches don’t tally with his experience. “In a week when the UK government is reporting that cyber crime is worth close to stg£27bn per year, a majority of individuals still claim never to have been victims. This perpetuates the profile of identity theft and cyber crime as ‘something that happens to other people,’ ” he told Siliconrepublic.com.

However, the list of ‘other people’ is growing all the time. Fine Gael and RecruitIreland.com were both recently victims of attacks on their websites, which compromised personal information. News also emerged that Anglo Irish Bank CEO Mike Aynsley’s home was burgled in November and his laptop was stolen. The nature of information contained on the computer led to both the DPC and the people mentioned in the data being notified.

Jones was sceptical that recent cases would focus more attention on the issue, and suggested that stricter fines may ultimately be needed. “Many (data) controllers are compliant and diligent in their duty of care. The only thing that will catch the attention of the remainder is when a data controller is hit with a penalty provided within the legislation; not a popular view in difficult economic climate, but it’s difficult to see any other option to make controllers take notice,” he said.

Gordon Smith was a contributor to Silicon Republic