Security Matters: £500,000 fines for security breaches are coming

Welcome to Security Matters, our newsletter on data security law, security breaches and breach action. 

Security Matters is intended to provide our clients and contacts with critical information on legal developments in the field of data security, to give you comfort that you are doing what is necessary to keep your organisation on the right side of the law. If you need any help or assistance please let us know.

In this issue:

• Countdown to April 2010 – essential steps and quick wins
• The legal basis of the fine
• The legal obligation to keep personal data safe and secure
• Understanding systems and operations
• Next steps and quick wins
• Learning more: Data Security Breakfast Briefings
• Breach Action
• Butterworths' Data Security Law and Practice

Countdown to April 2010 – essential steps and quick wins

From 6th April 2010 organisations and individuals that breach the Data Protection Act will be liable to fines of up to £500,000.

This new power is just the latest step in a series of recent reforms that have seen UK data security laws develop to among the strongest in the world. Other headline developments in the past two years include:

• A law that introduces gaol sentences for people convicted of data theft
• Regulatory guidance mandating the use of encryption technologies
• Regulatory guidance mandating the reporting of serious security breaches to the Information Commissioner
• A law that introduces compulsory inspections and audits of government departments, other public authorities and data controllers in the private sector
• Improved contractual processes for the engagement of private sector contractors by government and other public authorities.

In light of these developments we strongly encourage our clients and contacts to review their systems for data security, while there is still time remaining. Leaving this until after 6th April might be too late.

The legal basis of the fine

In May 2008 Parliament passed the Criminal Justice and Immigration Act.  This contained provisions that have introduced a new section 55A into the Data Protection.  Section 55A gives the Information Commissioner the power to impose a "monetary penalty" (a fine) on data controllers if:

1. There has been a serious contravention of the data protection principles
2. The contravention was of a kind likely to cause substantial damage or distress
3. The contravention was (a) deliberate, or (b) the controller knew, or ought to have known, that there was a risk that such a contravention would occur and they/it failed to take reasonable steps to prevent it

In the intervening period since May 2008 the government and the Information Commissioner have been working on fleshing out the details of how the fine will operate in practice. Earlier this month the Commissioner published statutory guidance, thereby completing the legal framework.

The legal obligation to keep personal data safe and secure

The seventh data protection principle in the Data Protection Act requires data controllers to implement "appropriate technical and organisational measures" to keep personal data safe and secure.  Failure to take these steps will expose the controller to the risk of a fine, if a serious security breach occurs. In particular, the controller is required to implement appropriate process controls, technological controls, physical controls, controls over workers and employees and controls over sub-contractors. 

The law's focus on controls can be further distilled down to two areas:

1. Systems controls
2. Operational controls

Understanding systems and operations

A "system" for data security is the documented rules, policies and procedures (including contracts) that describe the data controller's position on data security. For example, a typical system control for dealing with the risks caused by employees is a policy requiring pre-employment vetting, including the taking-up of references. The "operations" for data security are the actual methods and processes that are implemented by the controller.

The legal theory is that the controller's systems should be legally compliant and that their operations should be conducted in accordance with their systems. By this route activities on the ground will be legally compliant also.

Consequently, when investigating whether a security breach constitutes a breach of the security principle (i.e., a failure to implement appropriate technical and organisations measures for security) the regulator and the courts will look first at the controller's system.  If the system passes muster, then the investigation will move to the next steps, to a consideration of the question were the operations conducted in accordance with the system. If the answer is again yes, then the security breach will not constitute a breach of the law.  Of course, if the system does not pass muster, it will be easy for the regulator and courts to make a finding of breach of law.

For these reasons most controllers will conclude that in the time that is remaining between now and 6th April they should review their security system, looking for obvious gaps and failings and making changes where appropriate.

Next steps and quick wins

At this stage in the legal cycle a data controller's system review should focus on quick win issues, namely those that are most likely to attract the Information Commissioner's interest in the event of an investigation following a security breach. Some issues are more important than others and in order to be able to spot these it is important to track legal and regulatory trends and developments, including enforcement actions and case law.  Data controllers who have kept on top of the issues will understand that these are some of the priority areas:

1. The security policy itself – The security policy provides the structural backbone to the controller's security system.  It should cover all the bases, be readily accessible, easily understood, trained upon and enforced.  The adage "less is more" often hold goods; having too many security policies can sometimes be as bad as not having enough.
2. Information Security Management System – The Information Commissioner, the government and the Financial Services Authority have all expressed their opinion that data controllers should implement ISO 27001 security controls.
3. IT security – There are clear requirements for IT security contained within regulatory guidance and rules for best practice.  For example, the Commissioner is clear that he expects organisations to encrypt portable computer equipment and storage media, to FIPS 140-2 level.
4. Employee and worker adequacy – The system should have clear rules covering all stages of the employment lifecycle, from pre-employment vetting through to termination of employment.
5. Contract and project initiation – There should be distinct rules addressing the security considerations inherent in any new contracts, business initiatives or projects.  So, for example, if a new direct marketing campaign is planned, the organisation should always cover off the inherent security risks in advance. The Information Commissioner often talks about the need for "Privacy Impact Assessments" and "Privacy by Design", initiatives for dealing with responsibilities at the point of contract and project initiation.
6. Third party assurance, sub-contracting and the use of data processors – Using third party service providers always introduces a new layer of risk.  The system should address this.
7. Culture, training and awareness – Everyone working in or for the organisation should be inculcated in the security system.
8. Breach handling and response – Having a system for the handling of security incidents, including the notifying of them to the Information Commissioner and persons affected, is a compulsory component of the security system. Clear guidance has been introduced to this effect.

For further information, please contact Stewart Room or Eduardo Ustaran.