Data security breach fines increase by over 200% in 2012
02 April 2013
The number of organisations who have been
fined by the Information Commissioner's Office (ICO) for data
security breaches has dramatically increased in 2012 according to
research from European Law firm Field Fisher Waterhouse.
Research showed that 2012 was the most
prolific year yet for serious ICO enforcement action, with 25
fines, three enforcement notices, six criminal prosecutions and 31
undertakings (through which organisations undertake to improve
their data protection practices). In comparison to 2011
with only seven fines, one enforcement notice, five criminal
prosecutions and 69 undertakings. These findings demonstrate
that the ICO is increasingly turning to fines to regulate data
security failures and other serious breaches of data protection
The latest research from Field Fisher
Waterhouse analysed ICO's enforcement actions in 2012 and found
- Data security breaches remain the
most regulated type of failure, accounting for 88% of all
- 80% of ICO imposed fines were issued
to the public sector
- 60% of ICO imposed fines within the
public sector were issued to a local authority
- Data controllers who voluntarily self
report an incident to ICO are not given immunity from enforcement,
84% of fines were self reported
Technology partner at Field
Fisher Waterhouse Stewart
"This analysis provides valuable insights into
ICO’s enforcement strategy and how it translates into action. The
ICO does not hesitate to take serious enforcement action for
failures to comply with data protection law, and is becoming a real
force to be reckoned with and a driver for change.
"Looking at the year ahead, we can expect
ICO’s enforcement activity to continue at this pace or even
intensify, focusing in the areas that ICO has prioritised as posing
a higher data protection risk, namely health, internet and mobile,
financial services, security and criminal justice.
"Although the public sector will remain firmly
on ICO’s radar, we can expect the regulator to turn more of its
attention to the private sector. This is likely to mean more
serious enforcement action but we also expect a greater appetite to
challenge enforcement actions."
Further findings from the research
international data transfers
- In the private sector, enforcement is more fragmented, with
suppliers of health services just in the lead, followed by
financial institutions, telecoms, and providers of property and
real estate services.
In light of this analysis, Field Fisher
Waterhouse encourages data controllers to take the following
- Familiarise themselves with ICO's enforcement
strategy and monitor ICO enforcement cases.
- Risk assess their data security system and
policy framework, and take action if there are concerns.
- Look closely at their mechanisms for engaging
and contracting with third parties who process data on their
- Provide adequate and up-to-date data
protection training to staff.
- Take practical steps to mitigate the risk of
misdirected communications, including faxes, emails and
- Implement a data security incident response
For further information, please
Paula Nugent, PR
Executive, Field Fisher Waterhouse LLP on 020 7861 4526
Kamara, PR Manager, Field Fisher Waterhouse LLP on 020