Data breaches triple at UK Financial Institutions

The UK’s Information Commissioner’s Office (ICO) have revealed that there’s been 585 investigations into reported breaches of the Data Protection Act within the financial services sector in the financial year to April 2015. According to the Financial Times (paywall), this is compared to 183 reported breaches for the same period as the previous year.

Our first response might well be to wonder why the number of reported data breaches has tripled in such a short space of time. Some argue that it’s due to the fact that the level of breaches has risen. Others argue that only the reporting levels have increased as there is no mandated requirement for companies to report data breaches to the ICO.

According to the article, the British Bankers’ Association (BBA) asserts that the increase is caused by considerably more effective internal compliance procedures within its member firms. But that doesn’t really explain why banks would feel the need to inform the ICO just because they are better at spotting data breaches after they have occurred. Of course, once the new EU Data Privacy Regulations come into force then there will be a statutory obligation to report breaches. 

Another possibility is that banks are considerate organisations who want to ensure that there is transparency in their dealings and that is what drives them to report their mistakes to the ICO. However, that seems a tad unlikely to be true. The truth lies somewhere else: some of the reports of data breaches come from customers and not from the financial institutions. These are effectively complaints about banks failing to care for customer data properly.

In a recent survey of consumers conducted by the ICO, concerns have been growing over how companies use their data. Combine this fact with the statistic that the level of concern has fallen over how banks manage their data by the same consumers and we get a strange set of results. Reporting levels have shot through the roof, overall customers are less concerned about bank breaches than before and banks have been getting better at monitoring data breaches.

We are now left with a couple of observations. Firstly, just because banks have more efficient compliance processes for the reporting of data breaches does not mean they are any better at preventing breaches from occurring in the first place.

The most common causes of breaches in the Data Protection Act by financial institutions are inaccurate data being recorded and problems related to requests by customers to access data held about them. Another thing worth bearing in mind is that four banks represent one third of all reports to the ICO about data breaches in the banking community.

Secondly, as human error is the root cause of a significant proportion of complaints then there is a strong argument in favour of increasing staff training so people are made more aware of how easy it is to breach the Data Protection Act by accident.

Finally, before anyone not working for a financial institution kicks back with relief that you are not in the firing line, you should remember that just because the Financial Times hasn’t reported on the state of your industry, surely doesn’t make it perfect. Also, the fact that consumers are less concerned about financial institutions with their data merely opens some space for them to be more concerned about how your company is handling their data instead.