Firms should guard against legal claims from aggrieved clients
For any IT director the job of monitoring internet and e-mail use
and investigating security breaches will give rise to a number of
challenges, not least that of minimising the damage they can
cause.
One area that should be addressed at an early stage is whether
firms should report security breaches to customers, business
partners or the police. This can be a difficult judgment,
particularly where competing interests are involved.
In cases where personal customer data such as credit card
information has been illegally accessed, either internally or as a
result of third-party intervention, the case for notifying those
affected may be strong.
Surely customers of, for example, a retail store should be told
that there has been an incident so that they can notify their bank
and insurers and thereby seek to limit the loss and damage they
might suffer?
Some might argue that this approach is unworkable, particularly
where large numbers of customers are involved. The task of tracking
them down and notifying them will take time and could be very
expensive.
And what about the risk of damage to reputation, particularly if
the organisation is operating in the financial sector, where
security is vital to retaining customer confidence? Should the risk
of damage to reputation outweigh the risk of legal claims by
aggrieved customers who were not notified or were not notified
promptly? Would customers have a case for action under the Data
Protection Act?
The reality is that each situation needs to be assessed in the
light of its particular circumstances. For many organisations the
approach may be to keep quiet and hope that the problem goes away
without customers suffering or bringing claims against the
business.
It is hard to criticise this approach (except, of course, in cases
where serious crime, including sexual offences, is involved) given
the risk of reputational damage and, as matters currently stand in
the UK, the absence of an overarching legal requirement to
notify.
On the other hand, this approach could make matters worse and only
serve to increase the size of any claim that may be made. There is
also the risk that police, including the National Hi-Tech Crime
Unit, may take a dim view and criticise the organisation for not
getting them involved earlier.
In California, steps have been taken by legislators to codify legal
requirements in this area so that those who conduct business in the
state are required to notify in the event of a security breach,
unless steps have been taken to encrypt the data involved. This law
came into force last year and is set out in the California Security
Breach Information Act (SB 1386).
Nothing like this law with such a wide-ranging application exists
in the UK, although the ongoing failure by organisations to notify
security breaches may cause legislators in Brussels and London to
act.
Any such steps would no doubt be met with opposition from the
business community because of the potential burden it would place
on them and the problems it could cause in terms of reputational
damage.
IT directors should ensure that they have in place internal
policies and procedures to cover not only the approach to be taken
when investigating security breaches but also a route to senior
management on external notification to customers, business partners
and the police.
Mike Bywell is a partner at law firm DLA