Treat ITsecurity as if the law required it

Regulations will be used against you if you do not protect partner or customer information.

Regulations will be used against you if you do not protect partner or customer information.

Firms operating online face an increasing risk of security violations that many are not equipped to meet. Are businesses legally required to take information security seriously, and what will be the consequences if they do not?

The British standard on information security management, BS7799, identifies three categories of information security: confidentiality; integrity - protecting information against tampering; and availability. A comprehensive information security policy should address all of these.

From a legal standpoint, apart from the risk of irreparable damage to business data and goodwill, companies whose systems are compromised through poor security may incur significant liabilities. If the company holds data relating to third parties (such as customers and suppliers), they may be able to sue it for breach of contract if that data is accessed or modified by an unauthorised person.

The company may also face an action for breach of confidence if sensitive data relating to business partners is compromised. Individuals may even be able to bring a claim under the Human Rights Act for failure to protect their right to privacy where public bodies inadvertently allow access to their personal data. This all demands serious consideration but it does not make information security a legal requirement.

The closest approximation in English law to a legal requirement for information security lies in data protection legislation.

The seventh data protection principle in the Data Protection Act 1998 provides that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

This is supposedly bolstered by an obligation under the Act for firms to include a "general description" of how they intend to comply with this principle in their notifications to the Information Commissioner.

Yet that description is insufficient for the commissioner to determine whether the measures that firms intend to take will indeed be "appropriate", given the nature of the data and the processing to which it will be subject.

Also firms' security measures are not revealed by a search of the Data Protection Register. It will normally fall to the individual registrants to determine what is appropriate, and those with weak or non-existent security measures may only incur the wrath of the commissioner only if personal data is compromised.

Not all industries escape so lightly. The Financial Services Authority's consultation paper on operational risk systems and controls sets out the measures authorised firms should take to safeguard information security. Although the new FSA Handbook provides only guidance, failure to comply may be taken as a breach of the handbook rules, leaving the firm open to disciplinary action by the FSA.

This is not to say that other UK businesses want for guidance on best practice - advice abounds, it is mandatory requirements that are lacking. The Department of Trade & Industry has issued numerous publications aimed at educating UK businesses of the risks, and the Organisation for Economic Co-operation and Development has published guidelines recommending that member countries "promote a culture of security".

In 1999 the Institute of Chartered Accountants published guidelines (the Turnbull Report) on implementing the requirements of the Combined Code on Corporate Governance. The Listing Rules require that all listed companies explain why they have not complied with the provisions of the Combined Code, and failure to follow Turnbull may be taken as non-compliance.

Transgressors may be obliged, to their great embarrassment, to disclose to investors material deficiencies in their information security.

UK law falls short of requiring any measurable standard of information security, so businesses cannot refer to legislation to determine whether their information security is appropriate. Apart from firms operating in particular regulated industries, it is unlikely that action would be taken against a company for failure to implement adequate information security unless the risks against which it is supposed to guard actually occur.

It is clear, however, that managing information security is now accepted to be good business practice, and it is this standard against which firms will be judged if litigation ensues.

Directors who are personally culpable for failing to ensure that information security strategy is implemented may be found liable for failing to exercise proper skill and care if business data is destroyed or falls into the wrong hands. Regardless of whether information security is a legal requirement, it would be advisable for firms to treat it as if it were.

David Griffiths is partner specialising in information security at international law firm Clifford Chance. He will deliver a keynote speech at Infosecurity Europe

Read more on IT legislation and regulation