Guest article: The New Regime on Data Loss
Yesterday the Information Commissioner's Office gained new powers to deal with data security risks. In this guest article Tracey Stretton, a legal consultant at Kroll Ontrack, looks at some of the risks and strategies for dealing with them…
The Information Commissioner in the UK recently said that getting data protection right has never been more important than it is today. Given the harm and distress a data security breach can cause to thousands of people, it has become essential for companies to safeguard the personal data of others. Not only is there the risk of financial and reputational damage when data is lost, stolen or compromised but serious breaches of personal data security are expected to attract more severe penalties.
New Penalties for Serious Breaches
The Data Protection Act in the UK requires those who process personal data to ensure that it is kept secure with appropriate technical and organisational measures taken to protect it and that it should not be retained longer than necessary. From 6 April 2010 the Information Commissioner’s Office will be able to impose penalties of up to £500,000 for serious breaches of the Act. These might include losing financial data that subjects an individual to identity fraud or loss of sensitive personal medical data that causes worry and anxiety. When penalties are imposed, the Commissioner will carefully consider the circumstances including the seriousness of the breach; the likelihood of substantial damage and distress to individuals; whether the breach was deliberate or negligent and what reasonable steps the organisation has taken to prevent breaches. The Commissioner can also serve an enforcement notice to achieve compliance with the data protection principles, carry out an assessment of a company and prosecute those involved in the unlawful trade in confidential personal data.
How the New Powers Will Be Used
According to statutory guidance, the Commissioner will take a pragmatic and proportionate approach when imposing monetary penalties. Factors taken into account when determining a penalty are an organisation’s financial resources, sector, size and the severity of the data breach, to ensure that undue financial hardship is not imposed on an organisation. An example of a serious contravention according to the guidance is the failure by a data controller to take adequate security measures (use of encrypted files and devices, operational procedures, guidance etc.) resulting in the loss of a CD holding personal data. The Commissioner is more likely to consider that the data controller has taken reasonable steps to prevent a contravention if a risk assessment has been carried out or there is evidence that risks have been recognized and addressed, for example in policies and procedures.
How Often Does This Happen?
According to Kroll Ontrack’s Annual ESI Trends Survey 2009, UK companies experience at least one data breach a year. There is an active market for stolen data and sellers compete on price, volumes and quality of stolen information – so you might see on offer “buy 1000 credit card records and get 1000 drivers licence records free”. At Kroll Ontrack, we have seen a company being offered back its own database of client records which they did not know was missing (even criminals make mistakes). We are hardened to these cases, but still shocked at the large volumes and relatively low cost of buying highly sensitive stolen information.
Anticipating and Managing Data Breaches
In many cases data that has been compromised should have been deleted years ago and companies have no idea it still exists. Because it is unrecognized, it is also largely unprotected. Sensitive information within a company – particularly a large one – can be likened to an iceberg. The IT department, internal audit, General Counsel and other managers at the top can see some of the sensitive data and manage it, but there is often a lot of data down at various operating levels that does not get seen from the top.
Data Maps and Security Assessments
We recommend that companies build data maps indicating where sensitive data enters, is used, is stored and leaves the organisation. They should carry out internal security readiness assessments involving both procedural reviews and actual system and network testing. External specialists are able to assist with this and are able to identify and quickly close security holes that could otherwise be used with devastating effect.
Data Breach Response Plans
Companies should also develop and test data breach response plans so that they know – and have practiced – what to do if an incident happens. It’s important to identify outside specialists to turn to for support with crisis communication, computer forensic investigations and with notifications. When a company believes an incident may have occurred, forensic and investigative services are available to determine what did and did not happen and to secure and analyse evidence. You can sometimes prove that a breach did not occur, or that it was far less extensive than at first believed. Help with remediation is also available, both in terms of services for those whose data was breached, and in a technical sense, to bring security to a reasonable level.
There is no such thing as 100% security. What we say, and suspect that the Commissioner will understand, is that a company has to maintain a “commercially reasonable” set of security measures. Based on the nature of the information and the threats to it, are you doing what a well-managed company should do to protect sensitive data? Here are some examples, of questions that might be asked when assessing an incident and the adequacy of data security measures:
• Was the data needed for business processes? Sometimes companies collect data that they don’t actually use. Losing sensitive data that you didn’t need in the first place will create a bad impression.
• Was the data still needed? Organisations are often reluctant to get rid of data that they don’t need anymore, even if it is sensitive. Again, it’s hard to explain why you had it if there is a breach.
• Was it protected? The software needed to encrypt stored data is becoming more available and affordable. We’ve reached the point where encryption of at least laptop and portable netbook machines is a best practice.
• Will you detect an incident, or wait until some external party informs you that it has happened? Having protective measures that can tell you something is wrong is vital. Network firewalls, application-level firewalls, intrusion detection systems, intrusion prevention systems, log consolidation and analysis systems and the like are defensive measures that you should consider in planning how you’re going to protect sensitive data
• Do you maintain proper logs and records that would facilitate the investigation of an incident? Log files that tell you how the incident occurred, when it happened, what data was compromised, and whether it is still occurring should be retained.
• Did you test your security? Regularly running tests in which independent experts try to breach your defenses (so-called “penetration tests”) is becoming a recognised best practice, particularly for larger organisations. Traditional penetration tests in which you scan for flaws in the Internet-facing portions of a company’s network are no longer sufficient. You have to test for phishing (sending deceptive emails to get an employee to download software which actually steals or helps to steal data), social engineering (trying to talk an employee into providing access, or their password, or otherwise assisting hackers) and for sophisticated “blended” and “persistent” threats.
The Cost of Being Cavalier
In the new regulatory climate, companies that adopt a cavalier approach and fail to take reasonable steps to put basic security provisions in place are at risk of being fined. Data breaches can severely affect a company in other ways. It’s not just the cost of investigating the incident, or of notifying and providing services to those whose data has been compromised, or the cost of lawsuits that can be crippling. The greatest cost can be to a company’s or a brand’s reputation. Even long-time and dedicated customers can be driven away if a breach occurs and it is not properly handled.