Home
 Text Only - Skip to content

Home | Services | Events | Features | Interviews | Profiles | Reviews | News | Resources | Press | Archive

Posted: Thu, August 21, 2008

Managing Data Security Breaches

By Liz Fletcher


The Information Commissioner's Office (ICO) has published guidance on how organisations should deal with data security breaches. The guidance aims to provide information for organisations as to what to do if a breach occurs and whether or not the breach should be reported. Whilst the ICO notes that there is no law expressly requiring notification of breach it recognises that sector specific rules may lead organisations towards issuing a notification.

The guidance gives a number of potential causes of security breach such as:

  • Loss or theft of data or equipment on which data is stored
  • Equipment failure
  • Human error
  • Hacking attack
  • Unforeseen circumstances such as flood or fire
  • Obtaining information through deception

The guidance essentially presents a checklist of basic principles that businesses can apply in order to ensure a proportionate response when data security is breached. The guidance suggests organisations have in place an effective breach management plan with four important elements:

  1. Containment and recovery
  2. Assessment of ongoing risk
  3. Notification of breach
  4. Evaluation and response

1. Containment and recovery
The guidance emphasises that security breaches will not only require an initial response to investigate and contain the situation but a recovery plan and a damage limitation strategy involving input from specialists across the organisation such as HR, legal and IT as well as external advisors where appropriate. Organisations are encouraged to determine in advance who will lead the investigation into the breach and ensure they have the necessary resources. Organisations should then determine who else needs to be made aware of the breach and what they should do to contain it. Examples of effective containment include doing something as simple as using back up discs to restore lost data, changing the access codes on doors and where appropriate informing the police.

2. Assessment of ongoing risk
The guidance states that before deciding on what steps are necessary further to immediate containment, organisations should assess the risks which may be associated with the breach and most importantly the consequences for individuals. This will depend on: the type of personal data involved, the greater risk being associated with sensitive personal data such as health records and financial data which may be vulnerable to misuse and the number of individuals affected. According to the guidance organisations should also consider the wider consequences such as loss of public confidence in the service provided by the organisation.

3. Notification
"Informing people about a breach is not an end to itself". The guidance is clear that just notifying the ICO will not be enough. Notification should have a clear purpose, whether this is to enable individuals who may have been affected to protect themselves or allow the appropriate regulatory bodies to perform their functions, provide advice and deal with complaints.

Factors to take into account when deciding whether to notify include:

  • Are there any legal or contractual requirements?
  • Will notifying help you meet your security requirements under the Data Protection Act?
  • Will notifying individuals help mitigate their risks, for example cancelling cards, changing passwords?
  • The dangers of "over notifying" - notifying the customer base of 2million if only 200 are affected may cause disproportionate work and enquiries.
  • The guidance states that if there are a large number of people affected or the consequences are serious then the ICO should be informed.

How an organisation notifies will depend on the urgency of the situation and the security of the medium of the notification. Specific and clear advice should be given when notifying individuals and a clear means of contact such as a helpline or webpage should be provided. If notified, the ICO will expect to see details of any security procedures in place at the time of the breach. The ICO will not normally inform the media or any other parties but may advise the organisation to do so. Depending on the nature of the breach, an organisation may need to notify other third parties such as police, insurers, professional bodies, trade unions, bank or credit card companies.

4. Evaluation and response
The breach management plan should also contain a process for evaluating how a breach was caused and how that problem can be addressed in the future. The guidance stresses the risks of adopting a "business as usual" approach following a security breach without carrying out this process of evaluation and response. It also states that if an organisation already has a business continuity plan that deals with serious incidents then a similar plan should be considered for security breaches.

The ICO's Guidance on Data Security Breach Management is available along with other useful information relating to data protection at www.ico.gov.uk.


web image New powers for the Information Commissioner to fine for data protection breaches

On 8 May 2008 the Criminal Justice and Immigration Act received Royal Assent and will give the ICO the power to impose substantial fines on organisations that deliberately or recklessly serious breaches of the Data Protection Act 1998 (DPA).

Section 55 of the DPA will be amended to give the ICO the power to serve financial penalty notices on data controllers who commit serious breaches of the data protection principles. Before service of such a notice, the ICO must:

  1. be satisfied that the breach is serious and of a kind likely to cause substantial damage or substantial distress;
  2. be satisfied that the breach was deliberate or that the data controller knew, or ought to have known, that there was a risk that the breach would occur and that it would likely cause substantial damage or distress, but still failed to take reasonable steps to prevent it.
  3. serve a notice of intent giving the data controller an opportunity to make representations.
The data controller will be able to appeal any penalty to the Information Tribunal and the ICO is required to publish guidance on the basis upon which it will issue fines.

The maximum level of the fines and the nature of the information to be included in a financial penalty notice will be prescribed by secondary legislation and no timetable for the publication of draft regulations has yet been fixed.


About the author
Liz Fletcher is a solicitor in Hugh James' commercial and technology practice. Liz advises on general commercial, technology and intellectual property transactions. She has acted for both private sector and public sector clients in a broad range of sectors within the UK including blue chip corporations and suppliers with operations in the finance, insurance, IT and telecommunications sectors. Liz joined Hugh James in 2006 and has particular experience in technology and communications contracts, outsourcing, intellectual property and services agreements.

Find out more about Hugh James at www.hughjames.com

Send a comment about this article to editor@itwales.com



Home | Services | Events | Features | Interviews | Profiles | Reviews | News | Resources | Press | Archive
About ITWales | Privacy Policy
All material on this website ©2002-2008 ITWales
spacer

Search ITWales

Advanced Search
envelope Subscribe to
ITWales Updates
Click Here!