The power of the ICO: Liabilities for a data security breach

If an organization suffers a security breach, there are many consequences and a range of liabilities. Stewart Room reveals the two important powers that the Information Commissioner's Office has when punishing a company guilty of data loss.

Don't miss need-to-know info!
Security pros can't afford to be the last to know. Sign up for email updates from and you'll never be behind the curve!

An organisation that suffers a security breach is exposed to a wide range of liabilities. Under the Data Protection Act, a breach of security can constitute a breach of the seventh data protection principle: that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss of, destruction of, or damage to, personal data." In such an event, the data controller is exposed to regulatory action by the Information Commissioner's Office, the U.K.'s independent regulator for data protection. Currently, the ICO has two important administrative powers; it can serve an enforcement notice under section 40 of the Data Protection Act, and it will be able to serve monetary penalty notices under section 55A.

The Commissioner's office is entitled, though not obliged, to serve an enforcement notice if it is satisfied that the controller has contravened, or is contravening, the principles of the Data Protection Act. The purpose of an enforcement notice is achieving the controller's compliance with the DPA. If the ICO is satisfied, then it may serve a notice requiring the controller to either take steps or to refrain from taking steps.

However, before serving an enforcement notice, the Information Commissioners' Office must also consider the extent to which the security breach has caused, or is likely to cause, a person damage or distress. If a controller disputes the service of an enforcement notice, he or she can appeal within 28 days to the Information Tribunal. An appeal suspends the operation of the notice. If the controller chooses not to appeal, or appeals are unsuccessful, the notice will crystallise. When a controller breaches the terms of the notice, that person will be liable to criminal prosecution. If the controller is a company, breach of an enforcement notice also exposes the directors and managers of the business to criminal proceedings.

In May 2008 the Criminal Justice and Immigration Act introduced the Commissioner's power to serve a monetary penalty notice. The ICO expects that it will have issued its first monetary penalty notices by spring 2009, which might be a tad ambitious. Again, the Commissioner's power to serve a monetary penalty notice is a discretionary one, which can only be exercised where there has been a serious breach of the data protection principles that is likely to cause substantial damage or distress, provided that the controller knew there was a risk of such a breach occurring and that those responsible did not take reasonable steps to prevent it.

For more information

Stewart Room explores whether guilty companies are legally obligated to send data breach notifications.

The data subject is also given statutory remedies by the DPA. Under section 13, victims can sue for compensation if they suffer damage and distress. They can also take legal action to prevent further processing of their data. In big security breach cases, expect to see the emergence of "class actions," which can be brought in the High Court by way of a "group litigation order," which permits similar legal claims to be answered collectively.

While the DPA focuses on the activities of data controllers, data processors are not immune from legal action. Under the Human Rights Act, any data subjects affected by a security breach can sue for compensation for that breach. Furthermore, we have witnessed the recent case of a high-profile data processor having a government contract terminated following the loss of an unencrypted memory stick containing sensitive data about prisoners; the exercise of contractual remedies for security breaches is likely to become more commonplace.

In the financial services sector there have been a number of large, high-profile fines for security breaches, which are issued under the Financial Services and Markets Act 2000, a law governing the provision of financial services in the U.K. The FSMA has four key regulatory objectives, and for the purposes of security breaches, it is the regulatory objective to prevent financial crime that is called into force by the FSA in the event of a security breach in a regulated firm. Breaches of the FSMA have attracted financial penalties for many years now. In light of the overall strategic weaknesses in the financial sector, it is likely that the FSA will continue its high-profile strategy for security breaches in the years ahead.

About the author:
Stewart Room, Barrister and Solicitor, is a partner in the Technology Law Group at Field Fisher Waterhouse LLP. He is named as one of the U.K.'s leading data protection lawyers in legal directory Chambers UK and in October 2008 he was awarded the prestigious prize of "Legal Innovator of the Year" by the Financial Times, for his work with major IT companies. He is the president of the National Association of Data Protection Officers and the author of Data Protection and Compliance in Context (December 2006), Email: Law Practice and Compliance (to be published in December 2008) and Data Security Law and Practice (to be published in July 2009). He is a visiting lecturer on information law at various universities.

Read more on Regulatory compliance and standard requirements