Personal data breaches: what firms need to do
Companies need to protect and preserve their intellectual assets with vigilance in the face of increasing risk of data theft and loss. There is an active market for stolen data and large volumes of highly sensitive data can now be bought at a relatively low cost.
Given the harm and distress a data security breach can cause to thousands of people, it has become essential for companies to safeguard the personal data of others. Not only is there the risk of financial and reputational damage when data is lost, stolen or compromised but serious breaches of personal data security are also expected to attract more severe penalties. From April 6, 2010 the Information Commissioner's Office in the UK has been able to impose penalties of up to £500,000 for serious breaches of the Data Protection Act 1998. The Information Commissioner has begun to levy fines, and issued a warning when the first two fines were announced in November 2010: "These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds."
New penalties for serious breaches
The Data Protection Act 1998 in the UK requires those who process personal data to ensure that they are kept secure, with appropriate technical and organisational measures taken to protect them, and to ensure that data are not retained for longer than is necessary. The serious breaches of the act which are now punishable by the Information Commissioner's Office under its new powers might include the loss of financial data, which may subject an individual to identity fraud, or the loss of sensitive personal medical data, which may cause worry and anxiety. When penalties are imposed, the commissioner will carefully consider the circumstances, including the seriousness of the breach; the likelihood of substantial damage and distress to individuals; whether the breach was deliberate or negligent and what reasonable steps the organisation has taken to prevent breaches.
The commissioner can also serve an enforcement notice to achieve compliance with the data protection principles, carry out an assessment of a company and prosecute those involved in the unlawful trade of confidential personal data.
How the new powers have been used
On November 24 last year, the Information Commissioner's Office issued two fines, both of which demonstrated its willingness to use the new powers to penalise serious breaches of the Data Protection Act. Hertfordshire County Council was fined £100,000 for two incidents where council employees faxed highly sensitive personal information to the incorrect recipients. The Information Commissioner, having been informed of the breaches by the council, decided that for this sort of breach a monetary penalty was appropriate since the council had not taken appropriate action after the first incident to prevent it from happening again.
The first incident involved information relating to child sexual abuse and a fax intended for a barrister was sent to a member of the public. The council obtained a court injunction prohibiting any disclosure of the facts of the case or circumstances of the data breach. The second fax, sent almost two weeks later, contained information about care proceedings for three children, the previous convictions of two individuals, domestic violence records and care professionals' opinions. The fax was sent to the wrong barristers' chambers.
In the second case, A4e, an employment services company, was fined £60,000 for the loss of an unencrypted laptop. The breach occurred when an employee took an unencrypted laptop home which contained sensitive personal information about 24,000 people who had used community legal advice centres in Hull and Leicester. The laptop was stolen from the employee's home, along with information such as full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity. The company reported the incident to the ICO and a fine was levied since the ICO thought that access to the data could have caused substantial distress. The company had not taken reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop.
In February this year it was reported that the Information Commissioner's Office had also imposed fines on both Ealing and Hounslow councils for losing unencrypted laptops containing sensitive personal information. The councils received fines of £80,000 and £70,000 respectively after two laptops containing the details of around 1,700 individuals were stolen from an employee's home. Employees were allowed to work from home in the delivery of an out-of-hours service by Ealing which served both authorities. Ealing Council did not, however, have sufficient checks in place to ensure that relevant policies were being followed or understood by staff. Hounslow's breach was that it did not have a formal contract in place with Ealing and did not monitor the other council's procedures. There was no evidence that the data held on the computers had been accessed and no complaints from clients had been received.
According to statutory guidance, the commissioner must take a pragmatic and proportionate approach when imposing monetary penalties. Factors which will be taken into account when determining a penalty are an organisation's financial resources, its sector and size, and the severity of the data breach, to ensure that undue financial hardship is not imposed on an organisation.
The guidance states that an example of a serious contravention would be failure by a data controller to take adequate security measures (e.g., use of encrypted files and devices, operational procedures, guidance, etc.) resulting in the loss of a CD holding personal data. The commissioner is more likely to consider that the data controller has taken reasonable steps to prevent a contravention if a risk assessment has been carried out or there is evidence that risks have been recognised and addressed, for example in policies and procedures.
How often does this happen?
According to Kroll Ontrack's Annual ESI Trends Report 2010, UK companies experience at least 1.53 data breaches a year. There is an active market for stolen data and sellers compete on the price, volume and quality of stolen information; offers such as "buy 1,000 credit card records and get 1,000 drivers' licence records free" are quite common. Kroll Ontrack has seen a company being offered back its own database of client records which they had not known was missing (even criminals make mistakes). Although Kroll Ontrack is hardened to such cases, it is still shocked at the large volumes and relatively low cost of buying highly sensitive stolen information.
Anticipating and managing data breaches
In many cases where data have been compromised, that data should have been deleted years ago and the companies involved had no idea they still existed; because they were unrecognised, they were also largely unprotected. Sensitive information within a company, particularly a large one, can be likened to an iceberg.
The IT department, internal audit, general counsel and other managers at the top can see some of the sensitive data and manage them, but there is often a lot of data down at various operating levels that do not get seen from the top.
Data maps and security assessments
Companies would be well-advised to build data maps which indicate where sensitive data enter, are used, are stored and leave the organisation. They should carry out internal security readiness assessments involving both procedural reviews and actual system and network testing. External specialists are able to assist with this and can identify and quickly close security holes that could otherwise be used with devastating effect.
Data breach response plans
Companies should also develop and test data breach response plans so that they know, and have practiced, what to do if an incident happens. It is important to identify outside specialists to whom the company can turn for support with crisis communication, computer forensic investigations and with notifications. When a company believes an incident may have occurred, forensic and investigative services are available to determine what did and did not happen and to secure and analyse evidence. It can sometimes be proved that a breach did not occur, or that it was far less extensive than at first believed. Help with remediation is also available, both in terms of services for those whose data were breached, and in a technical sense, to bring security to a reasonable level.
There is no such thing as 100 per cent security. This author's recommendation and she suspects that the commissioner would agree, is that a company has to maintain a "commercially reasonable" set of security measures. Based on the nature of the information and the threats to it, managers should check that their organisations are doing what well-managed companies should do to protect sensitive data. Some examples of questions that might be asked when assessing an incident and the adequacy of data security measures are as follows:
- Is the data used for business processes? Sometimes companies collect data that they do not actually use. Losing sensitive data that is not needed in the first place will create a bad impression.
- Is the data still needed? Organisations are often reluctant to get rid of data that they no longer need, even if it is sensitive. Again, it can be hard to explain why the information was retained should there be a breach.
- Was it protected? The software needed to encrypt stored data is becoming more available and affordable. The Kroll Ontrack survey suggested that the point had now been reached where failure to encrypt laptop hard drives was being recognised as negligence. The Information Commissioner's Office commented recently that of the four cases where fines had been imposed, three involved unencrypted laptops, and that password protection of portable devices was no longer sufficient.
- Will the company be able to detect an incident, or will it have to wait until an external party tells it what has happened? It is vital to have protective measures which can tell the company when something is wrong. Network firewalls, application-level firewalls, intrusion detection systems, intrusion prevention systems, log consolidation and analysis systems are defensive measures that should be considered when planning how to protect sensitive data.
- Does the company maintain proper logs and records that would facilitate the investigation of an incident? Log files that tell the company how the incident occurred, when it happened, what data were compromised and whether it is still occurring should be retained.
- Have security measures been tested? Regularly running tests in which independent experts try to breach the company's defences (so-called "penetration tests") is becoming recognised best practice, particularly for larger organisations. Traditional penetration tests, which scan for flaws in the internet-facing portions of a company's network, are no longer sufficient. Tests also need to be made for phishing (sending deceptive e-mails to get an employee to download software which actually steals or helps to steal data), social engineering (trying to talk an employee into providing access, or their password, or otherwise assisting hackers) and for sophisticated "blended" and "persistent" threats.
The cost of being cavalier
In the new regulatory climate, companies that adopt a cavalier approach and fail to take reasonable steps to put basic security provisions in place are at risk of being fined. Data breaches can severely affect a company in other ways. It is not just the cost of investigating the incident, or of notifying and providing services to those whose data have been compromised, or even the potentially crippling cost of lawsuits. The greatest cost can be to a company's or a brand's reputation. Even long-time and dedicated customers can be driven away if a breach occurs and it is not properly handled.
Potential liability arising from the failure to safeguard regulated data means that companies need to have protocols in place that allow for quick detection and rapid response when a security breach occurs and data has been compromised. Ever-changing technologies and the increasing sophistication of hackers increase the need for security protocols and systems be continuously tested, evaluated and updated.
Attention in business organisations has now shifted to securing data on mobile devices like Smartphones, given the potential security risks associated with wireless networks and removable memory, which transmit data outside the physical boundaries of an organisation. It is perhaps only a matter of time before there is a case involving these devices, particularly since they are more likely to be subject to loss, theft or tampering
Bachir A. El-Nakib