ViaSat raps ICO for going easy on private sector

Data loss folder

Digital comms vendor ViaSat UK has hit out at the Information Commissioner's Office (ICO) for not taking a hard enough line with private sector firms that breach the Data Protection Act (DPA).

The firm submitted a Freedom of Information Act request to the ICO, asking for details about the data breaches that took place between 22 March 2011 and 17 February 2012.

The results revealed that 730 self-reported breaches occurred during that period, and 297 were resolved.

With new EU data protection laws coming into effect in 2016, both the private and public sectors must take the utmost care over data security Six of these 297 cases resulted in financial penalties being issued, but only one of these settlements involved a private sector firm, which was ACS:Law.

Chris McIntosh, chief executive of ViaSat UK, said, because the ICO can only act on self-reported data breaches, the actual number of private sector incidents could be much higher.

"While the ICO has shown great progress in ensuring the public sector regains control over data security practices, the private sector still has a relatively free rein," he said.

"As the public increasingly trusts the private sector with its information, we need to ensure this [data] is managed responsibly, especially as the private sector reported the most thefts of data or hardware in the past year."

ViaSat's findings also revealed that 281 (38 per cent) of the 730 self-reported breaches resulted from emails and documents being sent to people in error. Local government accounted for 53 per cent of these types of breaches.

Lost hardware was cited as the cause of 108 breaches. Out of these, 37 per cent involved the NHS.

"With new data protection laws from the EU coming into effect in 2016, both the private and public sectors must take the utmost care over data security," added McIntosh.

"The ICO [also] needs to be sure the private sector is aware of all its breaches and undertakes audits and training."

In a statement to IT Pro, the ICO said financial penalties are just one "of a range of options" it can use against non-compliant private sector firms.

"We can only issue civil monetary penalties (CMP) where the breach has caused substantial damage or distress to individuals or has the potential to do so, and in instances where the organisation should have been aware of the risk and failed to prevent it," said the ICO statement.

"We will always consider a CMP whenever these criteria are met, regardless of the sector the organisation falls into," it added.

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.