There is a growing awareness among regulators and the public of
data security issues. The risks to businesses of being involved
in a data loss incident are high. Criminal sanctions under the
Data Protection Act are well established, but regulators such
as the Financial Services Authority (FSA) are also willing to flex
their enforcement muscles. In the past three years the
FSA has levied substantial fines against several of its members
for security breaches, write Phil Sherrell and Vinod Bange from
the technology team at international law firmEversheds
.
Bad publicity is another potentially lethal sanction. A
study by Ponemon showed that 31% of respondents terminated
their relationship with an organisation on receiving notification
of a breach of data security. Also, where third-party suppliers are
dealing with data, security breaches can lead to termination of
their contract and liability for losses incurred.
Mitigating legal risk
Arrangements under which third-party suppliers handle customer
data should provide for
clear lines of responsibility. It is ultimately the data
controller's responsibility to ensure that its suppliers treat data
carefully, but the supplier will also require their assistance to
minimise damage if a breach should occur.
The services contract should:
• Clearly spell out each party's responsibilities. Security
measures should be specific and clearly identified (ie. within a
security schedule) and should be achievable
• Set out some basic controls in the event of a data loss or
breach. The parties should co-operate to prevent further damage
occurring
• Have indemnity and termination provisions which specifically
address the issue and the consequences of data loss on the
supplier's part
• Contain specific provisions for press statements to be
mutually agreed so that neither party can depict the other as the
scapegoat.
Practical steps
All businesses should have robust data security measures. In
particular:
Human and operational controls: Ensure
effective training for all staff that handle the customer data so
that they clearly understand what their responsibilities are. This
is particularly important where a third-party supplier is handling
the data of individuals on behalf of different customers, who may
have different policies and needs.
Technical measures: These must be robust,
backed up by an audit trail to demonstrate that they are tested and
effective for the specific data and contractual requirements. For
example, protective measures such as access control (ie.
passwords), firewalls and encryption where appropriate should be
fit for purpose.
Reputational damage
Instant and intense media scrutiny can be expected in the event
of data loss, so businesses should
plan in advance how the situation will be handled. You will
need to establish the exact facts quickly and present a coherent
explanation which shows that you are in control. If there is doubt
as to what has happened, you are entitled to prevent the media
pointing the finger until the facts are clear.
Be careful about blaming a third party - check whether you are
contractually entitled to do so and consider the risk should you be
wrong. If it is clearly your fault, then a prompt public apology
combined with a clear explanation as to how you will mitigate any
damage caused may be the most effective way of defusing the
situation.
Blog discussion of data loss detection and prevention
>>