Regulations will be used against you if you do not protect
partner or customer information.
Firms operating online face an increasing risk of security
violations that many are not equipped to meet. Are businesses
legally required to take information security seriously, and what
will be the consequences if they do not?
The British standard on information security management, BS7799,
identifies three categories of information security:
confidentiality; integrity - protecting information against
tampering; and availability. A comprehensive information security
policy should address all of these.
From a legal standpoint, apart from the risk of irreparable damage
to business data and goodwill, companies whose systems are
compromised through poor security may incur significant
liabilities. If the company holds data relating to third parties
(such as customers and suppliers), they may be able to sue it for
breach of contract if that data is accessed or modified by an
unauthorised person.
The company may also face an action for breach of confidence if
sensitive data relating to business partners is compromised.
Individuals may even be able to bring a claim under the Human
Rights Act for failure to protect their right to privacy where
public bodies inadvertently allow access to their personal data.
This all demands serious consideration but it does not make
information security a legal requirement.
The closest approximation in English law to a legal requirement for
information security lies in data protection legislation.
The seventh data protection principle in the Data Protection Act
1998 provides that "appropriate technical and organisational
measures shall be taken against unauthorised or unlawful processing
of personal data and against accidental loss or destruction of, or
damage to, personal data".
This is supposedly bolstered by an obligation under the Act for
firms to include a "general description" of how they intend to
comply with this principle in their notifications to the
Information Commissioner.
Yet that description is insufficient for the commissioner to
determine whether the measures that firms intend to take will
indeed be "appropriate", given the nature of the data and the
processing to which it will be subject.
Also firms' security measures are not revealed by a search of the
Data Protection Register. It will normally fall to the individual
registrants to determine what is appropriate, and those with weak
or non-existent security measures may only incur the wrath of the
commissioner only if personal data is compromised.
Not all industries escape so lightly. The Financial Services
Authority's consultation paper on operational risk systems and
controls sets out the measures authorised firms should take to
safeguard information security. Although the new FSA Handbook
provides only guidance, failure to comply may be taken as a breach
of the handbook rules, leaving the firm open to disciplinary action
by the FSA.
This is not to say that other UK businesses want for guidance on
best practice - advice abounds, it is mandatory requirements that
are lacking. The Department of Trade & Industry has issued
numerous publications aimed at educating UK businesses of the
risks, and the Organisation for Economic Co-operation and
Development has published guidelines recommending that member
countries "promote a culture of security".
In 1999 the Institute of Chartered Accountants published guidelines
(the Turnbull Report) on implementing the requirements of the
Combined Code on Corporate Governance. The Listing Rules require
that all listed companies explain why they have not complied with
the provisions of the Combined Code, and failure to follow Turnbull
may be taken as non-compliance.
Transgressors may be obliged, to their great embarrassment, to
disclose to investors material deficiencies in their information
security.
UK law falls short of requiring any measurable standard of
information security, so businesses cannot refer to legislation to
determine whether their information security is appropriate. Apart
from firms operating in particular regulated industries, it is
unlikely that action would be taken against a company for failure
to implement adequate information security unless the risks against
which it is supposed to guard actually occur.
It is clear, however, that managing information security is now
accepted to be good business practice, and it is this standard
against which firms will be judged if litigation ensues.
Directors who are personally culpable for failing to ensure that
information security strategy is implemented may be found liable
for failing to exercise proper skill and care if business data is
destroyed or falls into the wrong hands. Regardless of whether
information security is a legal requirement, it would be advisable
for firms to treat it as if it were.
David Griffiths is partner specialising in
information security at international law firm Clifford Chance. He
will deliver a keynote speech at
Infosecurity
Europe