Cyber security and data protection: are you doing enough?
The widely disruptive cyber-attack that has affected many NHS bodies in England and Scotland, and organisations throughout the world, brings into focus the need for organisations to protect their information and IT systems. Ensuring your IT systems are secure is necessary not only as part of good business practice, but also because organisations holding information about individuals have specific regulatory obligations under the Data Protection Act 1998 (the DPA).
If your organisation collects and uses information about individuals (which is known as 'personal data'), then you will have an obligation under the DPA to "maintain appropriate technical and organisational measures" to ensure that the information stays secure. This obligation is deliberately flexible and non-prescriptive, meaning the measures that each organisation are required to adopt could vary depending on the type and amount of personal data that organisation holds. It does not mean that you will always need to encrypt data, or use any specific IT solutions but it does require organisations to consider IT security and take appropriate action.
So what action should you be taking? Here the DPA gives some further guidance, stating that, "having regard to the state of technological development and the cost of implementing any measures", the actions you need to take must ensure a level of security appropriate to the types of personal data you hold and the risks associated with any loss or destruction of the data.
Firstly, then, you need to think about what data you hold, and the potential impact the loss or destruction of that data could have on the individuals concerned. For instance, sensitive information about health conditions, or payment information that could leave individuals open to fraud, would carry a higher level of risk than more routine information. Size is also a factor here. If you hold a database with a million records, the potential impact is likely to be much greater than if your database only holds a hundred records.
Secondly, you need to consider what technical solutions are available. The DPA allows you to consider cost at this point. You are not always required to purchase the most expensive IT solution but the amount you spend should be relative to the risk and impact that a breach could have on your organisation. For example, if you have determined the potential risk of a data breach to individuals is high, then you will be required to consider more expensive solutions than if you determine the risk is relatively low.
Thirdly, don't forget that the obligation is to "maintain" appropriate security. This is an ongoing duty. You will not meet your obligations under the DPA if you merely purchase a good IT solution, without updating it regularly in response to new threats or issues (as some organisations, including the NHS, have recently found out). As well as the day-to-day security management of your IT systems (e.g. applying patches and updates to your operating systems and anti-virus/malware software as soon as they are released by the vendors), you should also keep all of your technical and organisational security measures under review and perform regular security assessments. If weaknesses are identified then you should promptly upgrade your systems or configuration to rectify these weaknesses.
Finally, if you are affected by a cyber-attack, you will need to consider whether to notify this to the Information Commissioner's Office. Currently, there are only mandatory reporting requirements in certain sectors, although if an attack causes loss or destruction of a significant amount of personal data, you may choose to inform the regulator. The rules on breach notification are changing from May 2018, when the General Data Protection Regulation comes into force.