Last week the Information Commissioner’s Office issued telecoms company Talk Talk with a record £400,000 fine for the security failings which led to the access by cyber-attack of nearly 160,000 customer files last year.
In a statement announcing the fine, the Information Commissioner criticised Talk Talk for failing in the "basic principles" of cyber-security.
The case is a powerful reminder of what happens when organisations don’t look after the personal data they hold. It results in costly fines, reputational damage and an erosion of trust between individuals and the organisation in question.
Public sector risk
While it is a private sector company making the headlines this time around, a quick look at the ICO’s log of data security trends shows that it is the public sector which is responsible for the lion’s share of data security incidents. In this area, health leads the way over the past year local government has claimed second place.
The risk of data security breaches is arguably higher than it has ever been in the past. This is in part down to the ongoing risk of malicious cyber attacks.
More pertinently, the fact that organisations in the public sector are expected to collaborate more closely, share and publish data creates new risks for organisations to consider and manage.
All this is happening where time and resources are increasingly stretched.
More teeth for the watchdog
As the guardians of the systems which manage, store and move data, this is an issue that public sector IT teams need to put to the top of their in tray. This is particularly the case in light of the new EU General Data Protection Regulation which will substantially tighten up rules around privacy and consent. It will also strengthen the position of the ICO which will be required to be more proactive in auditing organisations to check they are meeting their obligations.
Implications for IT
An urgent job for IT leads looking at the issue of data security is to establish the impact of GDPR regulations on their organisation and what they need to do to respond effectively. The most obvious impact on in-house IT teams will be the huge task of auditing legacy data held by their organisation so they can establish where it all is and what will need to be done to make sure it is being used in line with the new regulations.
But there are also substantial implications for how local authorities work with their IT suppliers in the future to ensure they fulfill their security obligations effectively. This is something which will require changes to the processes, contracts and responsibilities which are currently in place.
Putting these new arrangements in place will take time and needs to be taken in hand now because it is already clear when it comes to protecting personal data, there is already little patience for organisations who fail to do the right thing.