Infosec 2010: Businesses can do more to stay out of court for data breaches, says top UK lawyer

Data breaches are fast becoming one of the biggest reasons that businesses could find themselves in court as the government tightens up data protection legislation....

Data breaches are fast becoming one of the biggest reasons that businesses could find themselves in court as the government tightens up data protection legislation.

The reality is that no matter how much data protection policy and technology organisations have, they could still easily find themselves having to answer in court for a data breach.

In data breach cases, the most damning evidence often comes from whistle blowers within the organisation keen to protect themselves from blame.

With the introduction of new powers for the Information Commissioner's Office (ICO) from today, businesses risk fines of up to £500,000 for serious data breaches.

For these reasons, businesses need to think about how to limit the flow of harmful evidence in the event of a data breach, says Stewart Room, partner at law firm Field Fisher Waterhouse.

Legal responsibility

Organisations need to think beyond security policies and technologies to structure their incident response process in such a way that it is covered by legal professional privilege, he told Computer Weekly.

"If the conversations after an incident are with legal, rather than the CISO or IT manager, then all that information can be excluded from outside scrutiny," he said.

Businesses should look at structuring incident response processes as legal functions as a risk mitigation strategy because it reduces the risk of harmful information getting out, said Room.

This strategy will also mitigate the risk of a wide range of third-party scrutiny that can include media probes under the Freedom of Information Act or data subject to access requests by members of the public, he said.

An increasing number of mechanisms allow third parties to scrutinise organisations, so it is vital that they put their own mechanisms in place to limit that risk, said Room.

Few organisations seem to be aware of this new threat, which is enabled by various legal mechanism that give would-be scrutinisers rights they can exercise, and fewer still are taking steps to defend themselves, he said.

Compliant on paper

Another useful approach to staying out of court is to understand that having top quality paperwork rules in place is sufficient in most cases to bring legal action to a conclusion that is favourable to any organisation that suffers a data breach, said Room

What Room terms "systems-based regulation" is the result of time and cost constraints and the human tendency to take the line of least resistance.

"Most cases consequently focus on paperwork rather than operations because it is easier for a regulator to work from his desk than to come down to your office," said Room.

This approach is based on the premise that from legally compliant policies and procedures will flow legally compliant operations.

"In effect, this means in most cases that if the paperwork passes the legal compliance test, you can be excused operational failures," he said.

Having the right security policies in place can go a long way to keeping an organisation out of court, according to Room.

"If there are no documented rules an organisation can reference to say it has done as much as could be expected, it will go down in flames in circumstances in which it would otherwise been excused," he said.

Room is to be one of the panellists who will discuss how security professionals can defend themselves and stay out of court at Infosecurity Europe 2010 at Earls Court in London on 27-29 April.

Read more on IT risk management