When
data controllers are faced with
reporting a security breach - especially with regards to
notifying the Information Commissioner's Office (ICO) - it will
be in the best interests of the company to
examine the conflicting elements of
legal and regulatory disclosure requirements as
the interests of the company may not wholly be served by
following the
directives of the Information Commissioner's Office (ICO),
writes Bob Lewis, head of systems assurance at The Risk Advisory
Group.
The ICO's guidelines are notification-orientated and arguably do
not provide a best-interest reason to make that notification. If
followed to the letter and without internal company consultation,
data controllers could create a liability exposure to the
regulator, as the ICO directs data controllers to disclose serious
data breach without consideration to the mitigation of corporate
liability.
The three considerations the ICO requests for making a
notification to the regulator are: the potential harm to data
subjects the volume of personal data lost and the sensitivity of
that data.
When a breach is reported, the data controller will find the ICO
reviewing the nature of the breach. Ultimately the data controller
will be brought to account as to whether they have met their
responsibilities under the Data Protection Act. Clearly, specialist
legal advice is required. Currently, it would appear the ICO places
greater emphasis on notification than on recognising whether the
company has responded appropriately to the loss. With no legal
obligation to report, data controllers are free to question the
benefits of reporting a breach to the ICO.
The plan set out below should not be considered a definitive
response to a data security breach, nor should it negate any other
legal responsibilities of the organisation. Rather it is the phased
and considered approach. The top ten actions listed in each phase
are designed to protect the individuals whose data has been lost
and, where possible, the reputation and security of the data of an
organisation.
Phase one: immediate actions
Step 1:
•Identify the sensitivity of the data, whether the information
has market impact considerations and if the data is internal- or
client-oriented. Additionally, what level of protection was in
place to protect it and how this can be proven
•Notify members of the crisis management team (including but not
limited to data controller, CEO, corporate counsel and HR)
•Establish whether the lost data can be accessed or used without
specialist knowledge or software
•Identify whether the data or the asset containing the data can
be linked back to the company
Step 2:
• With the knowledge of the above points, identify the level of
impact on the data subjects and the organisation
•Determine whether the loss was opportunistic or targeted theft,
or a genuine lapse in security, and therefore if the legal tests
for liability are proven
• Identify the location of the loss and whether the data can be
recovered
• Establish a complete list of data subjects affected and their
contact details
• Start drafting communications for both public and private
notifications to data subjects and the ICO
• Reference the loss against internal policies and procedures to
identify any weakness in compliance.
At this point the material facts of the loss should be fully
known. All relevant parties will have been identified, notified and
immediate remedial actions undertaken. Consideration can now be
given to the wider issues.
Phase two: subsequent actions
Implement:
• Consultation with specialist legal advisors
• A review of policies and procedures to ensure a second loss is
not suffered, and that current measures are fit for purpose
• Establish if policies and procedures have been broken and what
disciplinary action will be taken
• Prepare a public relations strategy in the event the loss is
made public
• Establish whether the loss will be investigated internally or
undertaken by external consultants
• Confirm lines of management and resources for each action
undertaken
• If the loss was a targeted theft, establish a strategy for
dealing with this
• Confirm whether or not the loss should be reported, and if so
identify the appropriate recipients, for example business partners,
the police, Financial Services Authority (FSA), ICO or other
regulators
• Ensure all reported details are made in conjunction with all
agreed legal, HR and public relations strategies and retain copies
of all information provided
• On conclusion, review all decisions and actions taken and
amend the response plan accordingly.
If appropriate controls are not in place to deal with the loss
of data, the penalties a company might face can be significant.
Prevention remains the best cure but this is not always sufficient.
When a breach enters the public domain, emphasis should be placed
on a sound legal and media strategy so companies do not
inadvertently create additional and unwarranted liabilities.