Security Breach Fines Double – But Don’t Forget Shoulder Surfing In Your Threat Assessment
Fines for company data security breaches have been making the headlines over the last few years, not least within financial services firms. Things are set to ‘hot up’ as the authorities double the number of fines for not managing sensitive information properly, and the EU calls for even larger fines.
Examples of data security failures are plentiful. In July 2012, the Information Commissioner’s Office (ICO) fined Welcome Financial Services (WFS) £150,000 for a data breach that saw over half a million customers’ details go missing. In 2010, Zurich Insurance Plc was forced by the ICO to confess publicly to the loss of 46,000 records containing customer’s personal information. Subsequently, the Financial Services Authority fined them £2.2m: the largest it has levied so far on a single firm for a data security failure. During the past 12 months, the ICO issued a fine of £325,000 against a NHS Trust in Brighton for a data protection failure that allowed hard drives containing patient details to be sold on an internet auction site.
Number of fines doubled 2012-2013
Not only have the number of fines doubled, but the values are sky-rocketing. The ICO has stepped up its enforcement activities, by issuing double the number of data breach fines in 2012-2013 as it did in the previous 12 months. The ICO issued 20 monetary penalties in 2012-2013 totalling £2.6 million. During the previous year, the organisation fined just nine organisations generating £791,000 in the process. Between March 2012 and March 2013, there were 1,150 self-reported breaches made to the ICO, despite only 730 being made between 22 March 2011 and 17 February 2012.
The problem is here to stay
Data breaches are a very real threat and companies need to take steps to understand where the vulnerabilities are to limit risk: the threats are not just from organised hacking into a website or cloud database anymore. With companies encouraging mobile workforces, visual data breaches can occur by simply peering over someone’s shoulder at the computer screen or tablet. And who hasn’t done that on a packed commuter train on occasion?
The problem is exacerbated with the availability of high resolution cameras built into most smartphones, making it all too easy to snap a picture. Wherever there is a screen to view sensitive data, there is a potential risk. The same data protection legislation applies to these visual security oversights, so financial services companies are putting themselves at risk if they don’t address this often forgotten human aspect of data security.
Shoulder-surfing: a very real problem
To highlight the problem, a 2012 survey by ComRes of 2,000 workers, found 71 per cent of employees have been able to see or read what someone is working on over their shoulder. Despite being aware of the potential problems that could arise from shoulder surfing, more than half (53 per cent) said they do not take precautions to protect sensitive or private information from potential snoops – even when they work in high risk environments such as trains, planes or coffee shops. Given the huge growth of smartphones and tablets in the last 18 months, these figures are likely to be even higher.
And that’s not the end of it: in January this year The European Union commissioner for justice, Viviane Reding, called for bigger fines for companies who breach data privacy laws within the Union. These are potentially significant: companies responsible for more serious violations could be fined up to 5% of their global annual turnover.