FoI Requests Show Businesses Vastly Under-Report Stolen Devices to ICO

By Steve McCaskill

Just one-tenth of all devices stolen from businesses containing sensitive information are being reported to the Information Commissioner’s Office (ICO).

According to Freedom of Information (FoI) requests submitted by security firm ViaSat UK, 13,079 such devices were reported to police between March 2014 and March 2015, but the ICO reported just 1,089 data breaches.

The actual number is certainly higher given that only 34 of the 46 U.K. police forces responded to the requests and just 31 were able to provide detailed information.

Data Loss Landscape

Given the majority of breaches reported by the ICO relate to the public sector, this vast underreporting by the private sector means the scale of data loss in the United Kingdom is likely to be far worse than previously thought. ViaSat UK has called for the ICO to receive greater powers to protect the privacy of individuals.

“It’s clear that this discrepancy isn’t due to the ICO but the framework it has to operate in. As it stands, the ICO simply doesn’t have the tools and powers it needs to ensure that either all threats are reported, or that risk is minimized,” said Chris McIntosh, CEO of ViaSat UK.

“For instance, encrypting sensitive data is now a trivial matter in terms of both cost and complexity. If encryption of personal data was made mandatory, and enforced with spot checks and suitable punishments, then the public and the ICO could have much greater confidence that none of the 13,000-plus stolen devices represent a threat.

ICO Powers

“The ICO’s role is to encourage best practice in data protection. While it is clear that its financial penalties are aimed at this goal, it still needs more legal and financial muscle to drive its goals. While compulsory reporting of every single potential breach could be difficult to enforce, inevitably it would give the ICO a clearer view of the problem and allow it to better mandate best practice.

“However, in the meantime compulsory encryption, and the power to police it, is the absolute minimum that the ICO should be granted.”

The ICO itself has requested greater powers and funding in the past. It claims its role as an independent regulator is becoming more important as the number of complaints it receives rises.

“We’re effective, efficient and busier than ever,” said information commissioner Christopher Graham last year. “But to do our job properly, to represent people properly, we need stronger powers, more sustainable funding and a clearer guarantee of independence.”