About

What

Breach Watch lists all formal action taken by UK regulators (currently the Information Commissioner’s Office and the Financial Services Authority) in response to data breaches.

Why

Breach Watch was created to provide an easy to use listing of all regulatory action. It started as a document I produced for clients so they could:

  • Learn from other’s misfortune.
  • Understand what the regulators are concerned about and get a better understanding of what constitutes appropriate technical and organisational measures.
  • Use examples of real cases in training and internal reports.

How much

Currently there are over 300 reports of regulatory action.

  • All FSA enforcement from 2007 to 2012.
  • All ICO undertakings, enforcement notices and monetary penalties from 2007 to 2015.

It is usually updated monthly. There is an RSS Feed.

Who

Breach Watch is edited and maintained by me, John Elliott. I’m an information security / governance, risk and compliance consultant. I’m interested in the junction between information security technology and information rights law — and in particular how information security is regulated. If you want to find out more then look for me on LinkedIn and very occasionally Twitter @withoutfire. For the avoidance of doubt:

  • Although I’ve an LLM in Information Rights Law, I am not a lawyer, and nothing on Breach Watch is intended to be legal advice.
  • Everything published here is my personal opinion, and does not represent the views of my past or current employers.

What’s the conclusion

  • Over 40% of the undertakings and monetary penalties listed here were the result of the loss or theft of unencrypted data, typically on a memory stick or an unencrypted laptop.
  • Over 50% were the result of insufficient training or education of staff, typically relating to insecure use of personal data, such as transferring it to an unencrypted storage device – notice the strong theme about unencrypted, portable data. Many of these principles also relate to the security of physical documents also.
  • A major point to appreciate is that in the majority of cases the insufficiently secure data was simply lost as a result of human error – it was the failure to prepare for such an event, rather than the loss of the item itself, that was the issue and the cause of the regulatory action.
  • In cases of theft it is extremely rare that the data was stolen for its own value, but rather was stolen alongside something else, such as a laptop or a bag containing physical records. Encryption of data in advance is important to prevent access to this data and minimise the danger posed by such unfortunate events.
  • Ensuring that staff are sufficiently trained in key data protection principles and that encryption policies are actually followed would protect against the primary danger of accidental loss, the most common cause of a breach threat.

In three sentences …

  1. Encrypt the hard disk of laptops and USB memory sticks
  2. Train your employees in basic data protection
  3. If you take paper containing personal data out of the office, have policies and procedures and train everyone.