July and August 2012 saw an in-depth research project to examine the impact of UK data losses on a range of public and private sector organisations, as well as occasionally on individuals directly. The report was produced for confidential shredding and data destruction company -Shredded Neat Limited, based just north of Brighton, United Kingdom
The study showed that the main medium for data loss over the last 20 years was document loss, followed closely by HDD loss, the circumstances leading up to the data loss were evenly spread between theft; accidental loss in transit; insecure storage and poor waste disposal practice, interestingly a significant number of loss incidents were associated with locations where alcohol was available.
In terms of our study fines occurred in 21% of the losses though a significant number of prosecutions are still pending arrival in court, which would lift the likelihood to 30%. The study underestimates the likelihood that an organisation will be fined, since the ICO (Information Commissioners Office) which was responsible for the majority of these, has only had the necessary powers to fine organisations since 2010. The average level of fine imposed by the ICO was £155,000 in a range from £60,000 – £325,000. Other regulatory bodies can impose fines, and the study found a fine of £2,300,000 imposed by the Financial Services Authority (FSA), and another by the Federation Internationale de l’Automobile (FIA) which fined McLaren F1 Team US$100 million.
The total amount of fines levied in the UK for data breaches by the FSA since November 2010 has been seven fines, totalling £7,777,000 and a further 23 fines by the ICO, to a total value of £2,426,000