When data controllers are faced with reporting a security breach - especially with regards to notifying the Information Commissioner's Office (ICO) - it will be in the best interests of the company to examine the conflicting elements of legal and regulatory disclosure requirements as the interests of the company may not wholly be served by following the directives of the Information Commissioner's Office (ICO), writes Bob Lewis, head of systems assurance at The Risk Advisory Group.
The ICO's guidelines are notification-orientated and arguably do not provide a best-interest reason to make that notification. If followed to the letter and without internal company consultation, data controllers could create a liability exposure to the regulator, as the ICO directs data controllers to disclose serious data breach without consideration to the mitigation of corporate liability.
The three considerations the ICO requests for making a notification to the regulator are: the potential harm to data subjects the volume of personal data lost and the sensitivity of that data.
When a breach is reported, the data controller will find the ICO reviewing the nature of the breach. Ultimately the data controller will be brought to account as to whether they have met their responsibilities under the Data Protection Act. Clearly, specialist legal advice is required. Currently, it would appear the ICO places greater emphasis on notification than on recognising whether the company has responded appropriately to the loss. With no legal obligation to report, data controllers are free to question the benefits of reporting a breach to the ICO.
The plan set out below should not be considered a definitive response to a data security breach, nor should it negate any other legal responsibilities of the organisation. Rather it is the phased and considered approach. The top ten actions listed in each phase are designed to protect the individuals whose data has been lost and, where possible, the reputation and security of the data of an organisation.
Phase one: immediate actions
•Identify the sensitivity of the data, whether the information has market impact considerations and if the data is internal- or client-oriented. Additionally, what level of protection was in place to protect it and how this can be proven
•Notify members of the crisis management team (including but not limited to data controller, CEO, corporate counsel and HR)
•Establish whether the lost data can be accessed or used without specialist knowledge or software
•Identify whether the data or the asset containing the data can be linked back to the company
• With the knowledge of the above points, identify the level of impact on the data subjects and the organisation
•Determine whether the loss was opportunistic or targeted theft, or a genuine lapse in security, and therefore if the legal tests for liability are proven
• Identify the location of the loss and whether the data can be recovered
• Establish a complete list of data subjects affected and their contact details
• Start drafting communications for both public and private notifications to data subjects and the ICO
• Reference the loss against internal policies and procedures to identify any weakness in compliance.
At this point the material facts of the loss should be fully known. All relevant parties will have been identified, notified and immediate remedial actions undertaken. Consideration can now be given to the wider issues.
Phase two: subsequent actions
• Consultation with specialist legal advisors
• A review of policies and procedures to ensure a second loss is not suffered, and that current measures are fit for purpose
• Establish if policies and procedures have been broken and what disciplinary action will be taken
• Prepare a public relations strategy in the event the loss is made public
• Establish whether the loss will be investigated internally or undertaken by external consultants
• Confirm lines of management and resources for each action undertaken
• If the loss was a targeted theft, establish a strategy for dealing with this
• Confirm whether or not the loss should be reported, and if so identify the appropriate recipients, for example business partners, the police, Financial Services Authority (FSA), ICO or other regulators
• Ensure all reported details are made in conjunction with all agreed legal, HR and public relations strategies and retain copies of all information provided
• On conclusion, review all decisions and actions taken and amend the response plan accordingly.
If appropriate controls are not in place to deal with the loss of data, the penalties a company might face can be significant. Prevention remains the best cure but this is not always sufficient. When a breach enters the public domain, emphasis should be placed on a sound legal and media strategy so companies do not inadvertently create additional and unwarranted liabilities.