< Back

Share |

Dealing with data security breaches – an introduction

September 2013

In July 2013, Sony Computer Entertainment Europe announced that they had decided to withdraw their appeal against a fine of £250,000 imposed by the UK's independent regulator of data protection, the Information Commissioner (IC), following a serious security breach in April 2011, that compromised the personal information of millions of its Sony PlayStation Network customers.

KeyboardTaking action to secure personal data is important not only from a data protection compliance perspective, where fines of up to £500,000 can be imposed by the IC, but also in order to prevent claims against the organisation from individuals affected by the breach which can fatally damage a businesses' brand and reputation, not to mention the cost of disruption to an organisation investigating and responding to an incident.

Security and data protection law

The Data Protection Act 1998 (DPA) requires that organisations processing personal information relating to individuals, (personal data) must comply with eight data protection principles. The principles set enforceable standards relating to the processing of personal data. The seventh principle requires that appropriate measures are taken against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal data. A data security breach arising from a failure by a business to put effective security measures in place over personal data processed by it or on its behalf by a service provider, can result in formal action by the IC.

In his Annual Report to Parliament published on 20 June 2013, the IC emphasised the importance of keeping personal information secure.  The report shows that the IC imposed fines between 2012 and 2013 totalling £2.6 million and, with one exception, the penalties issued under the DPA were all for failing to secure personal information.

Responding to a breach

In the event of a security breach, an organisation needs to take prompt action to investigate and contain the incident as well as to assess whether the data can be recovered and if there are steps that can be taken to limit any damage associated with the breach.

Magnifying glassWith the exception of public electronic communications service providers subject to reporting obligations under the Privacy and Electronic Communications Regulations (PECR), there is currently no general legal data protection obligation to notify either the IC or affected data subjects of a data security incident although future plans to introduce a breach reporting obligation under the European Commission's draft data protection Regulation look likely to change this.

That said, there is a presumption on the part of the IC that serious data breaches should be reported to his office. Guidance published by the IC suggests assessing three factors in deciding whether to report a breach:

  • The potential harm to affected individuals - The potential harm to individuals is considered by the IC to be the "overriding consideration" in deciding whether to report. Examples of harm may include risk of identity fraud by the release of non-public identifiers or information about a person's private life becoming available to others. Where, however, there is little risk of harm to individuals, for example, where the data is encrypted to a proper standard, then there is no need to report.
  • The volume of personal data affected - A large volume of affected data should trigger a presumption to report. It is, however, necessary to consider each case to decide what amounts to a large volume of data; even low volumes of data may be a trigger if the risks associated with the data are particularly high.
  • The sensitivity of the personal data affected - There should be a presumption to report to the IC where the release of personal data would cause significant risk of individuals suffering substantial damage including distress. This will be relevant for personal data classed as sensitive, such as information about individual's health, political opinions or sexuality.

In addition to reporting the details of the breach to the IC, consideration should also be given to whether the affected individuals should be informed. This may be necessary so that people can take steps to protect themselves, for example, by notifying their bank or changing their passwords.

Anticipating the worst case scenario

In the event of a data breach risk becoming a reality, the business will also need to react fast. For this reason, it is important to prepare for the unthinkable by drawing up a breach response plan.

Note takingA response plan should identify the steps that need to be taken during the containment and recovery stages of a breach. The plan should allocate roles and responsibilities to staff involved in reacting to a breach and provide a roadmap for the business to evaluate the risk, implement solutions and learn in the light of experience.  In addition, this readiness plan should be documented, publicised within the organisation and tested so that the key personnel are familiar with their role and responsibilities.

Only by anticipating the risks can a business effectively respond to a data security breach.  By failing to plan for the worst case scenario, a business may find it is slower to react. This could potentially compound any detriment to individuals from a breach and place the organisation on the back foot, both in terms of their investigation and their position with the IC and data subjects when it comes to reporting the details of the incident.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Safe
Sally Annereau

Sally Annereau      


Sally considers the consequences of a security breach and the importance of implementing a data breach plan.

"The Information Commissioner imposed fines between 2012 and 2013 totalling £2.6 million and, with one exception, the penalties issued under the Data Protection Act were all for failing to secure personal information."