On April 6, 2010, the Information Commissioner's Office (ICO), the U.K.'s privacy watchdog, will be granted the power to enforce Data Protection Act fines to organisations that breach the act's terms. The ICO will also be able to carry out audits on government departments suspected of having poor security controls.
In the lead-up to that date, a clearer picture is emerging of how the powers will be applied. Earlier this month, the ICO issued a draft Code of Practice for Assessment Notices, which outlines in detail how the ICO intends to handle public complaints, how it will serve assessment notices on organisations, and the circumstances under which it will conduct an audit of an organisation's systems. The document also signals the ICO's clear intention to extend his powers of audit to include private-sector companies.
The draft code, which is due to be finalised by April after public consultation, reveals that the ICO's main stated aim is to protect personal information rather than prosecute companies. Its most severe punishments will be reserved for those that show flagrant disregard for security and refuse to cooperate.
Offending organisations can avoid data protection fines provided they cooperate with ICO auditors and obey their recommendations. The draft code makes it clear that fines will only be applied as a last resort in serious cases, as is exemplified by the following quote taken from the text of the code: "The Information Commissioner will not impose a monetary penalty on a data controller where a contravention was discovered in the course of carrying out an audit."
However, any weaknesses or errors found in the audit will need to be corrected and treated seriously. According to the code: "The Information Commissioner must reserve the right to use any of his powers in the case of any identified major non-compliance where the data controller refuses to address a recommendation within an acceptable timescale."
The draft code currently confines audit powers to the public sector, but that will likely change soon. In his introduction to the document, Information Commissioner Christopher Graham wrote: "The scope of our extended powers is at the moment relatively modest, as they only apply to government departments. However, moving forward it is entirely reasonable to expect that, where the evidence supports it, I will seek to extend my powers to undertake compulsory audits in both the public and private sectors."
Graham added that the audit process "has a key role to play in educating and assisting organisations to meet their obligations" and insisted that where possible, any engagements with an organisation would be done "on a consensual basis."
But he also made it clear that compulsory audits would take place where organisations failed to cooperate with the ICO, and where there was a risk that individuals' data could be compromised.
The ICO and politics
The ICO's new powers are symptomatic of a growing body of legislation and regulation that has a direct impact on information security. According to Stewart Room, a partner at law firm Field Fisher Waterhouse LLC and an expert on IT security law, the rules will continue to get tighter, and regulators will apply them with more vigour in the future. If the conservatives win the next election, as most people expect, he predicts the regulations will become even more punitive.
Room recently outlined his position in a talk at the SecureLondon event organised by ISC2, the security profession's educational body. He explained his belief that increased regulations have come about because the regulators have lost faith in their own ability to enforce security.
"We will see more intervention and a move from a light touch to a heavy touch by regulators with greater use of enforcement powers," Room said. "They have only scratched the surface so far."
He said that data security is now a political issue because consumers understand the dangers of their personal or financial information being stolen or misused. "Parliament now recognises data security as being of utmost importance," he said.
The regulators themselves will also be influenced by politics, Room said. Information Commissioner Graham has in the past acknowledged that he lacked the power and resources to be truly effective. Now, Room argued, the ICO will have no excuse for not punishing wrongdoers, and will be obliged to make good use of his new powers.
The financial-services industry may also find itself on the end of more aggressive action from its own industry body, the Financial Services Authority (FSA). Room argued that FSA staff, under threat of closure by the conservatives if they get into power, may feel tempted to act tough to prove their worth before any change of government.
How to protect organisations from data breaches
The main thrust of the Data Protection Act focuses on what is described as "reckless or deliberate" actions that lead to a data breach. As a prosecuting lawyer, Room said he would look for any evidence that showed a company had ignored warnings, refused resources, or failed to set up proper procedures for data protection. Any evidence along those lines would help to secure a conviction for deliberate malpractice.
Room said: "Ask yourselves, does your company have a culture of 'I told you so'? Are reports sent to the main board and ignored? Are there emails complaining about lack of resources, or recommendations not carried through?" All those things could be incriminating evidence.
The key, he said, is to get the right systems in place, and to have the documentation to prove that the organisation has at least tried to do the right thing. "This is not a no-fault regime," Room said. "Operationally, you are allowed to cock it up now and again, but you must have the right systems in place."
Therefore, in preparation for April 2010, Room advised companies to take some basic steps to "build a protective shield" around themselves, most notably:
- Build a single unified security policy.
- Ensure security forms are part of any contract initiation.
- Make security part of the process when any project is initiated.
- Worker adequacy -- ensure you have processes for handling new employees, changes of job, and for workers exiting the company; show that they were made aware of security requirements.
- Third-part assurance -- have processes in place to guard information held by third parties.
- Culture -- have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors.
Documentation is therefore a key element in staying on the right side of the law. "So far, the ICO is taking a systems-based approach. They will just want to call in your documents and inspect them at their desks. They will not be inspecting what happens on the ground," said Room. "Remember that when the Nationwide Building Society was investigated after losing an unencrypted laptop, the main criticism was that it did not have a proper security policy."