There is a growing awareness among regulators and the public of data security issues. The risks to businesses of being involved in a data loss incident are high. Criminal sanctions under the Data Protection Act are well established, but regulators such as the Financial Services Authority (FSA) are also willing to flex their enforcement muscles. In the past three years the FSA has levied substantial fines against several of its members for security breaches, write Phil Sherrell and Vinod Bange from the technology team at international law firm Eversheds.
Bad publicity is another potentially lethal sanction. A study by Ponemon showed that 31% of respondents terminated their relationship with an organisation on receiving notification of a breach of data security. Also, where third-party suppliers are dealing with data, security breaches can lead to termination of their contract and liability for losses incurred.
Mitigating legal risk
Arrangements under which third-party suppliers handle customer data should provide for clear lines of responsibility. It is ultimately the data controller's responsibility to ensure that its suppliers treat data carefully, but the supplier will also require their assistance to minimise damage if a breach should occur.
The services contract should:
• Clearly spell out each party's responsibilities. Security measures should be specific and clearly identified (ie. within a security schedule) and should be achievable
• Set out some basic controls in the event of a data loss or breach. The parties should co-operate to prevent further damage occurring
• Have indemnity and termination provisions which specifically address the issue and the consequences of data loss on the supplier's part
• Contain specific provisions for press statements to be mutually agreed so that neither party can depict the other as the scapegoat.
All businesses should have robust data security measures. In particular:
Human and operational controls: Ensure effective training for all staff that handle the customer data so that they clearly understand what their responsibilities are. This is particularly important where a third-party supplier is handling the data of individuals on behalf of different customers, who may have different policies and needs.
Technical measures: These must be robust, backed up by an audit trail to demonstrate that they are tested and effective for the specific data and contractual requirements. For example, protective measures such as access control (ie. passwords), firewalls and encryption where appropriate should be fit for purpose.
Instant and intense media scrutiny can be expected in the event of data loss, so businesses should plan in advance how the situation will be handled. You will need to establish the exact facts quickly and present a coherent explanation which shows that you are in control. If there is doubt as to what has happened, you are entitled to prevent the media pointing the finger until the facts are clear.
Be careful about blaming a third party - check whether you are contractually entitled to do so and consider the risk should you be wrong. If it is clearly your fault, then a prompt public apology combined with a clear explanation as to how you will mitigate any damage caused may be the most effective way of defusing the situation.