After a deluge of data breaches, the UK government is considering ways to provide the public with better shelter, through strengthening data protection law and punishment. Andrew Dyson, DLA Piper
Britain’s centrist Liberal Democrat party has dubbed 2007 the worst year for data protection and privacy, as almost 37 million Britons saw their records lost in the ether.
Some 25 million were due to the government’s well-documented bumbling loss of child benefit records. Although you’re less likely to hear if a bank or retailer has suffered a breach, a good number of the remaining 12 million were down to several well-known brands standing in the firing line for fuzz-ups. Nationwide and Leeds building societies, Monster.com and of course TK Maxx were amongst the big names hitting the headlines, inviting people to worry about whether their data is safely stored on databases.
As it stands, the UK Data Protection Act and the information commissioner Richard Thomas are often seen as powerless enforcers of the law, as those who are penalised can walk away with nothing worse than a small fine and a slap on the wrist.
“The so-called ‘toothless’ law is starting to bite,” says Robin Hollington, director of consulting at Global Secure Systems. “However, the information commissioner has had too few powers of enforcement. Other than the financial sector enforcement of Nationwide and Norwich Union, with fines made by the FSA, few organisations have felt the tangible cost of non-compliance.”
He adds: “The most critical consequence of unauthorised data disclosures remains that of loss of customer confidence and reputation damage. Those responsible for data within organisations can already be held accountable, and face criminal charges. But that’s if the person whose data has been compromised can prove they have suffered harm or distress as a result.”
Despite the high number of firms handling data these days, there are still relatively few cases whereby companies are prosecuted for breaching data protection laws. This begs the question, are they all behaving themselves, or is the law ineffective?
Tough justice
"The security professional now needs to consider information lifecycle management in its entirety, reviewing all of the internal and external locations that an organisation could potentially leak sensitive information."
Andy Maurice, director of consultancy, Iron Mountain Europe
Politicians believe the law needs to change. An extremely bad year for data bumbles has given them reason to beef up the Data Protection Act and make people (or companies) in charge of such data more accountable for mistakes.
As such, the government is now trying to make it a criminal offence to neglect or repeat data breaches. Parliament’s Justice Committee has backed the move, also arguing that large-scale users of personal data (such as corporations) should pay for the increased workload in enforcing this law.
At the moment, all UK organisations pay an annual fee of £35 ($68, €47) to handle data. But if the changes were accepted, higher fines could give the Information Commissioner’s Office further resources to follow up on more cases, while changes in the law could lead to bigger fines and the possibility of custodial sentences.
The Information Commissioner’s team could also be given permission to perform spot checks on how companies handle their data. Could firms end up paying more money to use customer data? And would the threat of higher penalties affect infosecurity staff?
“This will have a massive impact on security professionals,” says Andy Maurice, director of consultancy, Iron Mountain Europe. “They will need to take into consideration how their organisation handles personal information in all stages of its lifecycle, as well as the different formats that this information can exist in.”
“The security professional now needs to consider information lifecycle management in its entirety, reviewing all of the internal and external locations that an organisation could potentially leak sensitive information,” he says.
“Until recently, this has been a rather reactive process. It is now mandatory for all EU bodies to have a data protection officer in place, which is a clear indication that data protection is now taking centre stage,” Maurice adds. “Those organisations that stand out as champions of data protection will be those who have evolved their business processes.” But are those business processes really evolving? And do their staff treat data with the necessary respect? Research indicates this is not the case.
One fib too many
A survey by Dynamic Markets, on 300 managers and employees at UK and Irish companies where most staff use computers, found that one in six (16%) employees tells lies to cover up mistakes that resulted from the wrong version of information being presented to colleagues and customers. The report, commissioned by Tower Software, also claimed that 67% of employees think people in their organisation might have unknowingly presented the wrong version of information in this way.
Research carried out in November by Ipsos Mori on 1000 British adults, for the antivirus giant Symantec, found that almost two-thirds of the public distrusts the government’s data handling ability, while 61% distrusts the methods corporations employ. Almost half (46%) felt that data-protection laws are inadequate.
While these views conveniently reflect a message for research sponsors that people need to do better security, they also add weight to the government’s stance to get tougher on carelessness. Unclear rules however, might lead to employees ending up in jail if they mislaid a laptop or a pack of CDs containing data.
Andrew Dyson, a partner at law firm DLA Piper, argues that this certainly would not be the case. “The principal Data Protection Act is for those people who deliberately breach data – it’s people hacking and those who misuse data,” he says. “On a corporate level it’s only if it’s very sensitive data and someone has been very reckless. I think that [jail] is unlikely to be relevant [for company people] as this is targeted at people who illegally access data.”
For a long time, legal eagles and security folk have talked about the possibility of a breach disclosure law in the UK. The law would mean that if a company lost any customer data, the people affected would have to be told.
The legal systems of several US states including California already include such legislation, requiring companies operating there to tell their customers if a data breach occurs. The Californian law, SB-1386, and its equivalents has forced companies to confess breaches on several occasions.
But the prospect of a similar regulation in the European Union still looks unlikely, Dyson believes. He says in many ways companies have to tell their customers about breaches anyway – as this is one of the best routes to better security. But that doesn’t necessarily mean you find out how your data was stolen. And it doesn’t exactly inspire confidence in a firm.
Ignorance is bliss?
“Security professionals should be asking themselves, ‘why are we not getting better at controlling the risks?"
Robin Hollington, director of consulting at Global Secure Systems
Saying that, last year the House of Lords pushed for consultations over data-breach-notification rules instead of waiting for orders from the European Commission. But while that is still in the early stages of processing, the British Standards Institution (BSI) has started work on yet another security benchmark.
“To this end the BSI has started work on the development of a formal British Standard on Data Protection,” says GSS’s Hollington. “The aim of this proposed standard will be to provide organisations with a method of assessing and demonstrating their compliance with the requirements of the Data Protection Act.”
He adds: “The information commissioner has given his full support to the proposal to develop a British Standard on Data Protection. The BSI envisages the standard being used by organisations as a tool to assist in addressing their obligations under the Data Protection Act.”
“Security professionals should be asking themselves, ‘why are we not getting better at controlling the risks?’ Both the risks and the countermeasures are embedded within recognised best practice standards including ISO27001/2, but still there is a general lack of respect for or adoption of security procedures by staff.”
Any changes to the information commissioner’s powers remain to be seen – and even if the Data Protection Act is changed, it could be some time before the ICO becomes more powerful than other regulatory bodies.
In fact, DLA Piper’s Dyson says that companies in the financial services industry are more likely to come under fire from the Financial Services Authority (FSA). This is because the FSA can implement faster, tougher penalties on companies’ errors.
“Last year, Nationwide had a laptop stolen,” he says. “The information commissioner and Nationwide looked at it. In the end, the information commissioner passed it over to the FSA because it has more power.” Nationwide ended up paying £980 000: “There’s no way the information commissioner could have done that.”
Any change in legislation could also have an effect on the way data is used. Phil Becket, a director in Navigant Consulting’s disputes and investigations practice, says the wide-spread use of data analytics could soon come under scrutiny.
“Currently the data protection regulations include a caveat excluding investigators from complying with the regulations,” he says. “Although this is unlikely to change, I expect companies and organisations to become far more nervous about permitting data analysis, data matching and PC imaging as a result of the criminalisation of data loss.
“Companies may be less willing to permit these investigative techniques even though they are no less able to permit them because of the perception that it is against the rules.”
