padlock.jpg

Security Matters: £500,000 fines for security breaches are coming

 

Welcome to Security Matters, our newsletter on data security law, security breaches and breach action. Security Matters is intended to provide our clients and contacts with critical information on legal developments in the field of data security, to give you comfort that you are doing what is necessary to keep your organisation on the right side of the law. If you need any help or assistance please let us know.

 

Quick Links

 

Countdown to April 2010 – essential steps and quick wins

 

From 6th April 2010 organisations and individuals that breach the Data Protection Act will be liable to fines of up to £500,000.

 

This new power is just the latest step in a series of recent reforms that have seen UK data security laws develop to among the strongest in the world. Other headline developments in the past two years include:

  • A law that introduces gaol sentences for people convicted of data theft
  • Regulatory guidance mandating the use of encryption technologies
  • Regulatory guidance mandating the reporting of serious security breaches to the Information Commissioner
  • A law that introduces compulsory inspections and audits of government departments, other public authorities and data controllers in the private sector
  • Improved contractual processes for the engagement of private sector contractors by government and other public authorities.

In light of these developments we strongly encourage our clients and contacts to review their systems for data security, while there is still time remaining. Leaving this until after 6th April might be too late.

 

back to top.gif

 

The legal basis of the fine

 

In May 2008 Parliament passed the Criminal Justice and Immigration Act.  This contained provisions that have introduced a new section 55A into the Data Protection.  Section 55A gives the Information Commissioner the power to impose a "monetary penalty" (a fine) on data controllers if:

  1. There has been a serious contravention of the data protection principles
  2. The contravention was of a kind likely to cause substantial damage or distress
  3. The contravention was (a) deliberate, or (b) the controller knew, or ought to have known, that there was a risk that such a contravention would occur and they/it failed to take reasonable steps to prevent it

In the intervening period since May 2008 the government and the Information Commissioner have been working on fleshing out the details of how the fine will operate in practice. Earlier this month the Commissioner published statutory guidance, thereby completing the legal framework.

 

back to top.gif

 

The legal obligation to keep personal data safe and secure

 

The seventh data protection principle in the Data Protection Act requires data controllers to implement "appropriate technical and organisational measures" to keep personal data safe and secure.  Failure to take these steps will expose the controller to the risk of a fine, if a serious security breach occurs. In particular, the controller is required to implement appropriate process controls, technological controls, physical controls, controls over workers and employees and controls over sub-contractors. 

 

The law's focus on controls can be further distilled down to two areas:

  1. Systems controls
  2. Operational controls

back to top.gif

 

Understanding systems and operations

 

A "system" for data security is the documented rules, policies and procedures (including contracts) that describe the data controller's position on data security. For example, a typical system control for dealing with the risks caused by employees is a policy requiring pre-employment vetting, including the taking-up of references. The "operations" for data security are the actual methods and processes that are implemented by the controller.

 

The legal theory is that the controller's systems should be legally compliant and that their operations should be conducted in accordance with their systems. By this route activities on the ground will be legally compliant also.

 

Consequently, when investigating whether a security breach constitutes a breach of the security principle (i.e., a failure to implement appropriate technical and organisations measures for security) the regulator and the courts will look first at the controller's system.  If the system passes muster, then the investigation will move to the next steps, to a consideration of the question were the operations conducted in accordance with the system. If the answer is again yes, then the security breach will not constitute a breach of the law.  Of course, if the system does not pass muster, it will be easy for the regulator and courts to make a finding of breach of law.

 

For these reasons most controllers will conclude that in the time that is remaining between now and 6th April they should review their security system, looking for obvious gaps and failings and making changes where appropriate.

 

back to top.gif


Next steps and quick wins

 

At this stage in the legal cycle a data controller's system review should focus on quick win issues, namely those that are most likely to attract the Information Commissioner's interest in the event of an investigation following a security breach. Some issues are more important than others and in order to be able to spot these it is important to track legal and regulatory trends and developments, including enforcement actions and case law.  Data controllers who have kept on top of the issues will understand that these are some of the priority areas:

  1. The security policy itself – The security policy provides the structural backbone to the controller's security system.  It should cover all the bases, be readily accessible, easily understood, trained upon and enforced.  The adage "less is more" often hold goods; having too many security policies can sometimes be as bad as not having enough.
  2. Information Security Management System – The Information Commissioner, the government and the Financial Services Authority have all expressed their opinion that data controllers should implement ISO 27001 security controls.
  3. IT security – There are clear requirements for IT security contained within regulatory guidance and rules for best practice.  For example, the Commissioner is clear that he expects organisations to encrypt portable computer equipment and storage media, to FIPS 140-2 level.
  4. Employee and worker adequacy – The system should have clear rules covering all stages of the employment lifecycle, from pre-employment vetting through to termination of employment.
  5. Contract and project initiation – There should be distinct rules addressing the security considerations inherent in any new contracts, business initiatives or projects.  So, for example, if a new direct marketing campaign is planned, the organisation should always cover off the inherent security risks in advance. The Information Commissioner often talks about the need for "Privacy Impact Assessments" and "Privacy by Design", initiatives for dealing with responsibilities at the point of contract and project initiation.
  6. Third party assurance, sub-contracting and the use of data processors – Using third party service providers always introduces a new layer of risk.  The system should address this.
  7. Culture, training and awareness – Everyone working in or for the organisation should be inculcated in the security system.
  8. Breach handling and response – Having a system for the handling of security incidents, including the notifying of them to the Information Commissioner and persons affected, is a compulsory component of the security system. Clear guidance has been introduced to this effect.

back to top.gif

  

printer-friendly.jpg

 

Contact

room-stewart.jpg

Stewart Room

Partner, London

Email
+44 (0)20 7861 4850

 

 

ustaran-eduardo.jpg

Eduardo Ustaran

Partner, London

Email
+44 (0)20 7861 4842

 

Field Fisher Waterhouse LLP
35 Vine Street
London EC3N 2PX

 

t. +44 (0)20 7861 4000

w. www.ffw.com

Breach Action

If you have suffered a security breach you will also be interested in Breach Action, our service for handling the aftermath.

Breach Final.jpg

 

Click here for further information.

Data Security Law and Practice 

Butterworths' Data Security Law and Practice

Stewart Room has written the country's first-ever

Book Final .jpg

book on data security. 

 

Click here for further information

 

Follow us on

Follow FFWLawyers on Twitter

 
 
 

 

Learning more: Data Security Breakfast Briefings

Throughout 2010 we are holding regular fortnightly "Data Security Breakfast Briefings" at our London office, which give expert and practical insight into the new legal framework for data security and how to achieve compliance. There are two sessions in the series, which repeat throughout the year:

  • Session 1: The New Legal Framework for Data Security - understanding data protection; privacy; confidentiality; official secrets; fines; inspections and "the regulatory bear market".  This practical session will identify the key legal principles for data security, how they are regulated and enforced and how they translate into action points for your organisation.
  • Session 2: Achieving Compliance - understanding what to do, why and when:  understanding the difference between data security systems and operations; the role of the unified security policy; accountability; culture, awareness and training; project and contract initiation; outsourcing, offshoring, data processors and The Cloud; employee and worker reliability and assurance; breach handling and breach notification.

These immensely practical sessions are designed for all professionals with responsibilities for data security, including lawyers, IT professionals, CISOs, data protection officers, auditors, human resources, company secretaries and board members. If you are one of these people it is in your interest to come along.

 

Click here to register

 

There is no charge for these events.

 

 

  

This e-mail/publication is provided for information purposes only and is not a substitute for detailed advice on specific transactions and should not be taken as providing legal advice on any of the topics discussed, nor should it be taken as creating a solicitor-client relationship between the reader and Field Fisher Waterhouse LLP.

Please note that where this email/publication contains links to pages/items on third party websites, while such information may be available to be viewed and downloaded, this is subject always to the terms and conditions applicable to the particular website(s). Field Fisher Waterhouse LLP is not responsible for the content or operation of third party websites.

Copyright Field Fisher Waterhouse LLP 2010. All rights reserved.

Click here to

 unsubscribe