British companies were forced to pay £2,170,000 worth of monetary penalties for breaching the Data Protection Act (DPA) between January 2013 and October 2014, it has been revealed.
Despite the fact that compliance with the DPA is mandatory for all organisations, a total of 66 enforcement notices for infringements were issued by the Information Commissioner’s Office (ICO) during the period.
Poor information security was the biggest single reason for these sanctions, according to a comprehensive analysis by IT governance, risk management and compliance firm IT Governance.
The research reveals that enforcement notices were issued by the ICO for both massive and extensively damaging cyber security breaches, as well as simpler but no less significant contraventions – such as faxes that were sent to the wrong recipients.
Monetary penalties were more severely enforced for online breaches and cyber attacks, costing companies an average of £52,308 per incident. By contrast, losing a device or file cost companies £35,000 on average.
An additional area of concern is that a staggering 94% of all notices issued in the last 18 months were attributed to noncompliance with the seventh principle of the DPA.
This requires that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
This finding highlights the lack of due diligence in data protection and poor information security. The financial implications are also considerable, with the estimated average cost per data breach incident over the last 20 months amounting to of £35,574.
“With cyber criminals becoming increasingly sophisticated, it is more difficult than ever to ensure that all possible access points into an organisations’ systems are protected and to effectively reduce cyber risks,” said Alan Calder, founder and executive chairman of IT Governance.
“Organisations should be turning to ISO27001, the international information security standard, as a means to address both the strategic and operational aspects of information security, and to conform to the principles mandated by the DPA (e.g. Principle 7) and other regulations.
“With the proposed EU Data Protection Regulation expected to come into force next year, and the continued proliferation of data breaches, companies cannot afford to be complacent about data protection and information security.”