Data breaches: the legal aftermath

After a deluge of data breaches, the UK government is considering ways to provide the public with better shelter, through strengthening data protection law and punishment.

The Liberal Democrat party dubbed 2007 the worst year ever for data protection and privacy, as almost 37 million Britons saw their records lost into the ether.

Some 25 million records were lost as a result of the government's well-documented child benefit debacle. Although you are less likely to hear if a bank or retailer has suffered a breach, a good number of the remaining 12 million were down to several well-known brands mislaying records. Nationwide and Leeds building societies, and of course TJ Maxx were among the big names hitting the headlines, inviting people to worry about whether their data is safe stored on databases.

As it stands, the UK Data Protection Act and the information commissioner Richard Thomas are often seen as powerless enforcers of the law, as those who are penalised can walk away with nothing worse than a small fine and a slap on the wrist.

"The so-called 'toothless' law is starting to bite," says Robin Hollington, director of consulting at Global Secure Systems. "However, the information commissioner has had too few powers of enforcement. Other than the financial sector enforcement of Nationwide and Norwich Union, with fines made by the FSA, few organisations have felt the tangible cost of non-compliance.

The most critical consequence of unauthorised data disclosures remains that of loss of customer confidence and reputation damage. Those responsible for data within organisations can already be held accountable, and face criminal charges. But that is if the person whose data has been compromised can prove they have suffered harm or distress as a result."

Despite the large number of firms handling data these days, there are still relatively few cases where companies are prosecuted for breaching data protection laws. This begs the question, are they all behaving themselves, or is the law ineffective?

Tough justice

Politicians say the law needs to change. An extremely bad year for data breaches has given them reason to beef up the Data Protection Act and make people or organisations in charge of such data more accountable for mistakes.

The government is now trying to make it a criminal offence to neglect or repeat data breaches. Parliament's justice committee has backed the move, also arguing that large-scale users of personal data - such as corporations - should pay for the increased workload in enforcing this law.

At the moment, all UK organisations pay an annual fee of £35 to handle personal data. But if the changes were accepted, higher fines could give the Information Commissioner's Office (ICO) further resources to follow up on more cases, and changes in the law could lead to bigger fines and the possibility of custodial sentences.

The information commissioner's team could also be given permission to perform spot checks on how companies handle their data. Could firms end up paying more money to use customer data? And would the threat of higher penalties affect IT staff?

"This will have a massive impact on security professionals," says Andy Maurice, director of consultancy at records manager Iron Mountain Europe. "They will need to take into consideration how their organisation handles personal information in all stages of its life-cycle, as well as the different formats that this information can exist in."

"The security professional now needs to consider information life-cycle management in its entirety, reviewing all of the internal and external locations that an organisation could potentially leak sensitive information," he says. "Until recently, this has been a rather reactive process. It is now mandatory for all EU bodies to have a data protection officer in place, which is a clear indication that data protection is now taking centre stage. Those organisations that stand out as champions of data protection will be those that have evolved their business processes."

But are those business processes really evolving? And do their staff treat data with the necessary respect? Research indicates this is not the case. A survey by Dynamic Markets on 300 managers and employees at UK and Irish companies where most staff use computers found that 16% of employees tell lies to cover up mistakes that resulted from the wrong version of information being presented to colleagues and customers. The report, commissioned by Tower Software, also claimed that 67% of employees say people in their organisation might have unknowingly presented the wrong version of information in this way.

Research carried out in November by Ipsos Mori on 1,000 British adults for the antivirus giant Symantec found that almost two-thirds of the public distrusts the government's data-handling ability, and 61% distrust the methods corporations employ. Almost half (46%) say that data-protection laws are inadequate.

Tough on carelessness

Although these studies reflect the message from the sponsors that people need to invest more in security, they also add weight to the government's stance to get tougher on carelessness. Unclear rules, however, might lead to employees ending up in jail if they mislay a laptop or a pack of CDs containing data.

Andrew Dyson, a partner at law firm DLA Piper, argues that this certainly would not be the case. "The principal Data Protection Act is for those people who deliberately breach data - it is people hacking and those who misuse data," he says. "On a corporate level it is only if it is very sensitive data and someone has been very reckless. I think that [jail] is unlikely to be relevant [for company people] as this is targeted at people who illegally access data."

For a long time, legal eagles and security folk have talked about the possibility of a breach disclosure law in the UK. The law would mean that if a company lost any customer data, the people affected would have to be told.

The legal systems of several US states including California already include such legislation, requiring companies operating there to tell their customers if a data breach occurs. The Californian law, SB-1386, and its equivalents have forced companies to confess breaches on several occasions.

But the prospect of a similar regulation in the European Union still looks unlikely, Dyson says. In many ways, companies have to tell their customers about breaches anyway - as this is one of the best routes to better security, he says. But that does not necessarily mean you find out how your data was stolen. And it does not exactly inspire confidence in a firm.

Ignorance is bliss?

Having said that, last year the House of Lords pushed for consultations over data-breach notification rules instead of waiting for orders from the European Commission. But although that is still in the early stages of processing, the British Standards Institution (BSI) has started work on yet another security benchmark.

"To this end, the BSI has started work on the development of a formal British Standard on Data Protection," Hollington says. "The aim of this proposed standard will be to provide organisations with a method of assessing and demonstrating their compliance with the requirements of the Data Protection Act."

The information commissioner has given his full support to the proposal to develop a British Standard on Data Protection. The BSI envisages the standard being used by organisations as a tool to assist in addressing their obligations under the Data Protection Act.

"Security professionals should be asking themselves, 'why are we not getting better at controlling the risks?' Both the risks and the countermeasures are embedded within recognised best practice standards including ISO27001/2, but still there is a general lack of respect for or adoption of security procedures by staff," Hollington says.

Any changes to the information commissioner's powers remain to be seen - and even if the Data Protection Act is changed, it could be some time before the ICO becomes more powerful than other regulatory bodies. In fact, DLA Piper's Dyson says that companies in the financial services industry are more likely to come under fire from the Financial Services Authority (FSA). This is because the FSA can implement faster, tougher penalties on companies' errors.

"Last year, Nationwide had a laptop stolen," he says. "The information commissioner and the FSA looked at it. In the end, the information commissioner passed it over to the FSA because it has more power." Nationwide ended up paying £980,000: "There is no way the information commissioner could have done that."

Nervous analysis

Any change in legislation could also have an effect on the way data is used. Phil Becket, a director in Navigant Consulting's disputes and investigations practice, says the widespread use of data analytics could soon come under scrutiny.

"Currently, the data protection regulations include a caveat excluding investigators from complying with the regulations," he says. "Although this is unlikely to change, I expect companies and organisations to become far more nervous about permitting data analysis, data matching and PC imaging as a result of the criminalisation of data loss."

"Companies may be less willing to permit these investigative techniques even though they are no less able to permit them because of the perception that it is against the rules," Becket says.

This article was originally published in Infosecurity magazine

Read more on IT legislation and regulation