How to prevent costly data breaches

  • Technology requires the storage and use of significant amounts of data, and protection is paramount if councils are to avoid losses and subsequent reputational damage
  • Councils could make six-figure savings with an appropriate technology strategy
  • We take a look at the first in a series of five guides helping support risk and insurance managers

From balancing the books to dealing with ever-changing regulations, local authorities face a wide range of challenges and difficult decisions – a situation that looks set to continue.

Following research conducted in 2014, in association with Ipsos MORI, several risks were identified by local authorities.

Zurich Municipal has now created five guides outlining practical measures for reducing some of these risks, on the subjects of information governance and technology, fraud,environment, public health and social care and transformation.

This series of downloadable guides is designed to help risk and insurance managers understand the complex network of risks they face, and the strategies councils can employ to manage them.

Here, we focus on the first of these guides and discuss information governance and technology.

Data security is paramount

Technology is proving to be a powerful strategy in the fight against austerity. Across the country, local councils are making six-figure savings using the latest technological tools, from video conferencing to online payment services.

However, in order to use much of this technology, councils must acquire and store a huge amount of data – much of it personal and sensitive – which means data security is paramount.

Serious consequences

Loss of data can have serious consequences for a local authority, including: regulatory fines; liability for damages; extortion, theft or malicious attacks against individuals if information gets into the wrong hands; threats to service delivery; and significant reputational damage.

A Zurich Municipal report published last year found 99% of local authorities are either very confident or fairly confident in their ability to protect sensitive data.

But the evidence suggests this confidence may be misplaced. It has been reported that more than half of councils have suffered a data breach in the past two years. Official figures also show that the local government sector is second only to the NHS for the number of data breaches reported to the Information Commissioner’s Office (ICO), with 233 breaches reported in 2014.

Human error

The majority of these breaches relate to human error, with very few resulting from hacking or other online theft. The ICO has handed out a number of six-figure fines to local authorities for data breaches resulting from human error (the maximum possible penalty is £500,000).

As our Information Governance and Technology guide highlights: “It is a common misconception that cyber attacks, committed maliciously or with criminal intent, are the most serious danger.

“For this reason, data protection may mainly focus on IT solutions such as firewalls, robust passwords and data encryption. Clearly it is important to have all of these in place, but in fact most breaches for local authorities occur because individuals possessing data fail to understand the possible ramifications of how and where they use and transfer it – and to whom.”

Danger of personal devices

Today, more and more employees hold sensitive work-related information on their personal devices, such as mobile phones and laptops, which widens the likelihood of a data breach.

A council in Scotland was fined after an employee inadvertently uploaded confidential information to a website via their home computer.

Ken Macdonald, Assistant Commissioner for Scotland at the ICO, said following that breach: “As more people take the opportunity to work remotely, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure.”

Partnership working

Budgetary pressures are also leading more and more councils to outsource services, or partner with other organisations.

But how can local authorities be sure partner organisations are taking the same robust approach to data security as they are? How should councils decide which kinds of data can safely be shared, and what can they do to ensure this information remains secure when it leaves their organisation?

How Zurich Municipal can help

We tackle these questions and more, in our Information Governance and Technology guide.

The guide also examines a number of data management strategies employed by local authorities, and suggests what councils should be asking before embarking on a strategy.

To discuss any aspect of the report, please contact us at