Disclosure becomes a fact of life in leaky Britain

There's still no law in Britain that forces companies to disclose a data security breach. But few organisations would now be reckless enough to try to hide the fact.

In mid-November, the UK saw its worst ever leak of personal data when Her Majesty's Revenue and Customs (HMRC), the department responsible for collecting taxes, managed to lose two CDs containing personal and banking details of 25 million UK citizens. A few years back, the government might have tried to hush it up, but times have changed – the head of the HMRC resigned and the government minister in charge went straight to parliament to make an announcement and face the jeers of the opposition parties.

The change in mood can be dated back to February 2006 when the Financial Services Authority, an industry regulator, imposed a fine of £980,000 on the Nationwide Building Society, a savings and loans company, following an incident where an Nationwide employee had lost his laptop computer in a burglary at his house. The machine held a copy of the company's customer file, and the data was unencrypted.

Nationwide's mistake was to wait for three weeks before conducting an internal investigation, and then delaying some more before coming clean to the FSA. In its final judgment, the FSA berated Nationwide for its poor security controls and its apparent lack of urgency in getting on top of the problem. The size of the fine was intended to act as a clear signal to other companies that poor security would not be tolerated.

The effect was immediate. The boardrooms of Britain's financial institutions were thrown into panic, and security chiefs were dragged in to answer the burning question: "Could it happen to us?"

Two months later, in April 2006, an employee of Halifax Bank had his car broken into and his briefcase taken. The briefcase, which contained printouts of customer information, was quickly recovered, and it's fairly certain that no harm was done.

But the Halifax, which accounts for around one in five house mortgages in the UK, went on an immediate high-profile exercise to inform all 13,000 customers mentioned in the printouts of the theft, and to reassure them that, come what may, they would be protected from any losses that could arise from identity theft. The swift action defused the situation immediately, no fines were imposed, and Halifax achieved a PR triumph.

Since that time, a whole series of security breaches have occurred at retailers, banks and government departments, and the organisations in question have been quick to admit their error. Nevertheless, there is strong pressure building across Europe to embody mandatory disclosure into law, along the lines pioneered by the State of California with SB 1386 and now copied in most other US States.

Most organisations will struggle to be confident of keeping these things quiet.
Stewart Room
Partner, Field Fisher Waterhouse LLP of London
The EU's Directive on Privacy and Electronic Communication, first published in 2002 is currently under review, and is expected to introduce mandatory reporting of security breaches for communications companies. That could include telcos and ISPs, or it might extend to banks and other types of companies transmitting personal data. Until the written proposal appears some time soon, it is hard to know how far it will reach.

"We are currently looking at the question of disclosure, but have not yet reached a conclusion," said a spokesman for the UK's Information Commissioner, who administers the data protection regime.

It is clear that most companies would like to avoid the heavy hand of the law and keep the situation the way it is, with industries regulating themselves, and disclosure occurring on a semi-voluntary basis.

And full and immediate mandatory disclosure is not without its problems, as many security professionals point out. A disclosure may inspire copycat crimes, as felons realize the value of an organisation's laptops, for instance. It may inspire false claims from customers claiming to have suffered fraud. And it also alerts the criminal to the value of what they have – it's no longer just a laptop worth a few dollars, or a CD with no value at all.

But according to one lawyer who specializes in technology, the law is perfectly adequate as it stands to force disclosure. Stewart Room, a partner with Field Fisher Waterhouse LLP of London, says a combination of existing privacy and human rights laws already provide individuals with the right to know if their data is in danger of a breach.

"There is no rational reason to suggest that privacy laws should cease the moment a security breach has occurred – it is where they should kick in the most," he says. "The British courts have modified the law of confidence to incorporate a right of privacy [embodied in the European Convention on Human Rights] where there is a reasonable expectation of privacy. In the law of confidence, you can litigate to prevent a breach happening, and for remedial measures after a breach has happened."

That implies that the individual might have to sue to get recompense, but in practice, Room says the laws are already proving effective through the actions of the various industry regulators. "What we are now seeing from regulators is severe enforcement action if you don't report to them and they find out through the press or some other means," he says. "They have an obligation under the Human Rights Act to enforce a reporting of security breach obligation. If companies don't report, they will receive a harsher penalty."

Fear of harsher penalties is therefore encouraging organisations to volunteer the information to their regulating bodies. "If you suffer a breach, it is a gamble if you try to keep a lid on it," Room says. "Most organisations will struggle to be confident of keeping these things quiet." In the UK, where case law and precedent determines how laws are interpreted, he agrees that some real court cases would help to clarify the rules for everyone.

But on a European level, it looks as if mandatory disclosure will come soon in some form. "I am personally aware of some senior and influential figures at the European Commission who agree that the Directive already includes a reporting obligation, and also agree that if it doesn't, it should," Room says.

Read more on Data protection, backup and archiving