Which companies will you trust with your data? Less than half it seems

Stuart Corner
Thursday, 25 September 2008 12:37

Your IT - Home IT

He called for it to made mandatory for all organisations to report significant breaches of confidential personal information to the UK's Information Commissioner or their regulatory body. "Only through mandatory reporting will the scale of the problem be understood, which will lead to the correct solutions being applied," Best said.

Best concluded: “It is clear from this survey that IT and security training remains a fundamental issue, with 70 percent of those surveyed not training staff in IT security and information handling procedures. As employers now look to adopt flexible working initiatives, they must invest in a comprehensive security awareness policy to mitigate against potential information breaches."

In Australia, the Privacy Commissioner recently released a Guide to Handling Personal Information Security Breaches for use by businesses, agencies and non-government organisations.

It suggests that individuals affected by a breach should be notified where a breach creates a real risk of serious harm to the individuals, but notes that the Privacy Act places no requirement on organisations to do so.

However the Australian Law Reform Commission has just made a recommendation that mandatory breach notification be introduced into law and the Privacy Commission says that its guide could inform the Government's response to that recommendation.

Logica says that its study also found a lack of awareness of how to securely manage data and a lack of knowledge of how to prevent a security breach among many organisations. "Only 30 percent educate staff in IT security and information handling procedures on a regular basis, with less than a third employing a specific security incident response team."

The survey also revealed that while 63 percent of those surveyed hold personal data subject to EU data handling regulations, but only a quarter comply with ISO27001/2, meaning that companies are not adhering to security procedures when storing personal data.