ARTICLE
26 June 2007

Data Protection: What Price Security?

rG
Lawrence Graham LLP: Commerce & Technology

Contributor

Lawrence Graham LLP: Commerce & Technology logo
Explore Firm Details
Legal philosopher John Austin took the view that a law was only valid to the extent that it was backed up by the threat of sanction; the theory being that we all need an incentive to comply with the laws which are imposed upon us.
United Kingdom Information Technology and Telecoms
To print this article, all you need is to be registered or login on Mondaq.com.

Catrin Huckle, Commerce & Technology Group, Lawrence Graham LLP

Legal philosopher John Austin took the view that a law was only valid to the extent that it was backed up by the threat of sanction; the theory being that we all need an incentive to comply with the laws which are imposed upon us. In the commercial world this theory can hold a great deal of sway: why go to the trouble and expense of complying with some of the more bureaucratic laws if there is no penalty for not doing so?

Against this backdrop it is unsurprising that the Information Commissioner takes very seriously the frequently levelled criticism that he has no real ‘teeth’ when it comes to enforcing the Data Protection Act 1998 (DPA). The Commissioner's riposte invariably relies on the observation that formal action can still be to the severe detriment of a company's reputation, and there can be little doubt that this is a serious consideration in the business community.

In early 2007 the Commissioner took formal action against eleven banks and other financial institutions in connection with their breach of the Seventh Data Protection Principle which requires data controllers to keep the personal data they process secure by ensuring that they have appropriate technical and organisational measures in place to guard against unauthorised or unlawful processing as well as accidental loss, destruction or damage.

The companies had failed to protect their customers' details, including by the insecure disposal of financial reports containing customers' names, addresses, dates of birth, account numbers and balances, as well as PIN details and old bank cards. Whilst, on this occasion, the Commissioner’s formal action did not include a direct financial penalty, the impact of publishing details of a company's misdemeanours on the Information Commissioner's website should not be underestimated.

Another recent case has highlighted that it may not only be a company's reputation which is at stake when it fails to take appropriate measures to safeguard the security of the personal data in its care. In February 2007 the Financial Services Authority (FSA) fined Nationwide Building Society £980,000 for a string of data security failures which had been exposed when one of its laptops was stolen from an employee’s home. The fine was imposed in respect of Nationwide's breach of the third of the FSA's Principles for Business (which closely mirrors the requirements of the seventh data protection principle). Nationwide had failed to:

  • adequately assess the risks to its data security;

  • put in place adequate or effective procedures to manage those risks;

  • adequately train and monitor staff in relation to the company’s information security procedures; and

  • implement adequate controls to mitigate the security risks.

As a result, Nationwide did not respond in an appropriate or timely manner to establish the risks to its customers of financial crime arising from the laptop theft. It did, however, (albeit after a slight delay) implement a range of additional measures to increase security around its accounts, write to all of its customers explaining the loss of the information and the measures which customers could take to minimise the risk of identity theft, and commission a comprehensive review of its information security procedures and controls. These measures contributed to the FSA's decision to reduce the fine by 30% from the £1.4 million it had initially envisaged.

Even though the laptop had been password protected, and there was no evidence that any customer data had been misused as a result of the theft, the message was loud and clear: Nationwide should have had a more thorough risk assessment and security procedure in place; staff should have been trained in what steps to take when such data is lost; and the company should have found it easier to identify the data held on the laptop and to gauge the potential threat should it have been misused.

How can you maintain data security?

What can companies do to improve data security and so minimise the risk of falling foul of the Seventh Data Protection Principle?

  • A risk assessment should be carried out to identify what data security issues there may be. What type of personal data do you have? How sensitive is it? How is it used? Who has access to it? Have there been any problems in the past?

  • Security measures and procedures should be put in place to address the potential threats and any existing vulnerabilities. Paper files should be stored in lockable cabinets. Computers should be password protected. Personal data should be shared within the organisation only to the extent that it is necessary. Spare copies of documents containing personal data should be destroyed.

  • Security measures and data protection procedures should be reviewed and updated, and methods of improving data security should be identified. The cost of implementing improvements should be balanced against the benefits for customer security. Has new technology become available which could be used to significantly improve data security?

  • Adequate and relevant data protection training should be given to all employees (as well as certain service contractors – cleaners, for example) to remind them of:
    • the importance of protecting personal and/or confidential data;

    • the data security procedures which the organisation has in place – who should they tell if they suspect that there has been a loss of personal data? – is there a number they should call if customer files are lost or stolen?;

    • the need to dispose of confidential waste securely, by shredding or in lockable bins; and,

    • the need to monitor what personal data is stored and where – what data do employees have on their laptops? – do they ever take customer data off the premises in other ways?
  • Waste disposal contracts should be reviewed to ensure that contractors are under sufficient obligations to maintain data security.

  • If sensitive or valuable personal data is being collected through a website, a secure, encryption-based transmission must be used and the data should be held on a secure server which has encryption safeguards.

  • Where appropriate, remind customers of their responsibilities in protecting their own personal data by:
    • keeping passwords and account numbers confidential;

    • destroying invoices and other confidential documentation which you may have sent them; and,

    • not allowing others to access their computer if it contains sensitive or personal data which are not password protected or encrypted.

Where now?

The Nationwide case may have brought data security into the spotlight, but does a single headline case really provide us with the ‘threat of sanction’ that John Austin envisaged? That very much depends on an individual assessment of the risk to any particular organisation. But an alternative argument says that it is not the sanctions (potential or otherwise) which are the issue, but rather the law itself.

Aside from the general requirements set out in the DPA and the FSA's Principles of Business, there is currently no requirement under UK law for companies to take any particular action in the event of a data loss. The closest we have is regulation five of the Privacy and Electronic Communications (EC Directive) Regulations 2003; but this is of very limited scope, requiring only that providers of public electronic communications services notify customers of any significant risks to the security of the service and, if appropriate, the measures (and likely costs) which can be taken to minimise that risk.

The European Commission recognises that there is a pressing need for greater transparency in the handling of personal data, and it has published a consultation proposing that internet service providers (ISPs) and network operators be placed under a duty to notify customers and the national relevant regulator of security breaches involving personal data.

Implementation would bring Europe more closely into line with the US, where companies are required to notify data subjects of any lapses in data security. Whilst opponents argue that such a requirement would be undesirable because of the significant administrative and financial strain it would place on businesses, it may be that direct accountability will prove the most significant deterrent.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More