ICO Taking Action - 2011 Analysis

Summary
I did an analysis of the UK's Information Commissioner's (ICO) "Taking Action" incidents for 2011. There were approximately 80 incidents  where the ICO took action, after personal data breaches. Of these:

• 26 were related to  unencrypted media (e.g. lost or stolen laptop or USB memory stick); 
• 24 were caused by a misadventure of some sort with paper records; 
• 14 resulted from data being electronically sent (e.g. email or fax)  to the wrong recipient;
• 12 came from an application or website issue; 
•  4 were categorised under "other".

The lesson for security managers is that most incidents involving personal data are caused by relatively mundane type events, not advanced hacking attacks. Security awareness training for people should reinforce the message: be careful when processing personal data and do not use USB sticks. Technical measures include encryption of laptops etc.

Detail
The UK's Information Commissioner (ICO) lists the actions he has taken against individuals or organisations found to have been in breach of the UK Data Protection Act. I did an analysis of the incidents for the year 2011. The main purpose is to analyze the causes of these incidents to gather metrics.


I divided the incidents into 5 categories:

• Unencrypted Media - this includes such items as loss or theft of unencrypted media such as USB sticks or laptops. 
• Loss of Paper Records - including incidents where physical documents are misplaced, lost, found in a waste bin, or similar.
• Electronic Records Missent - where personal data is sent electronically to the wrong recipient using either email or FAX
• Website/Application Issue - where the action results from some sort of application or website issue.
• Other - which did not fit into any other category

Results
The following table shows the results:

Category	Number Incidents
Unencrypted Media	26
Loss of Paper Records	24
Electronic Records Missent	14
Website/Application Issue	12
Other	4
Total	80

The ICO does not usually say whether an actual loss occured as a result of any incident. There are a number of incidents where you get two for the price of one. For example a laptop is stolen along with paper records.

The results show that the majority of incidents have  relatively simple or mundane causes. Advanced hacking techniques were generally not employed. The lessons to be taken from this analysis are that basic security measures will prevent the majority of these incidents:

• Security awareness training to reinforce the message that people should be careful when pressing the send button.
• Do not use USB sticks
• Encrypt laptops (and USB sticks if they must be used)

I hope to do a more detailed analysis of the Website/Application issues in a future blog entry.
There is a spreadsheet on Google Docs of the analysis (See Useful Links)


I did a similar type analysis of ICO enforcements in 2010 (See Useful Links)

Useful Links

• ICO: Taking Action - Undertakings, Enforcements and Monetary Penalties
• UK Information Commissioner (ICO) Enforcements and Website Hacks  (Entry on this blog)
• ICOTakingAction - Google Docs Spreadsheet analysis of results

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot