Data Security Breaches: Are you prepared?
The 2015 Information Security Breaches Survey reported that 90% of large organisations suffer at least one data security incident per year and each breach can cost on average £1.5 million. However, it is not just large organisations that need to be mindful of data security breaches, smaller organisations, particularly those holding valuable data sets, are at risk too.
Whilst the biggest cost of a data security breach to an organisation is often the disruption to the business, the cost and reputational risk associated with regulatory fines and claims brought by data subjects should not be ignored. In order to minimise the impact of a data security breach on your organisation, you should understand your obligations under the Data Protection Act 1998 (DPA) and other relevant legislation, and this article outlines some of those obligations.
Prevention is better than cure
If your organisation processes personal data it is under an obligation to take “appropriate technical and organisational measures” against the unauthorised or unlawful processing of that data and to prevent accidental loss or destruction of or damage to the data (Principle 7 of the DPA). Unfortunately the DPA does not define what is appropriate but you are expected to take into account the following:
- the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage of personal data; and
- the nature of the personal data to be protected.
Your organisation should therefore undertake a risk assessment of the data it holds to determine the extent to which it is valuable, sensitive or confidential and determine the level of harm that could result from a data security breach. You may also have regard to the state of technological development and the cost of implementing any security measures, and weigh up the cost of implementing security measures against the risk and potential severity of a breach. If the likely harm that would arise from a data breach is minor, then you might justifiably decide not to invest in expensive industry leading security.
It should be remembered though that data breaches do not just occur from malicious hacking but also arise from loss of equipment or human error. Therefore, you should look beyond IT security when performing the risk assessment and also consider HR policies and staff training.
What steps should you take following a breach?
In the event that your organisation does suffer a data breach, it is important to act decisively and follow these steps:
1. Assessment and mitigation
Crucially the first thing to do following a data security breach is to assess the extent of the breach and stop or mitigate its effects. When assessing the extent of the security breach you will need to take into account the following factors:
- what personal data was lost or destroyed;
- how could that personal data be used;
- what was the cause of the breach;
- was the personal data encrypted;
- how many individuals are affected;
Any actions taken to mitigate the effects of a data security breach will be taken into account by the ICO when determining a business’ compliance with Principle 7 of the DPA. The ICO recommends that organisations should have in a place an appropriate recovery plan which can be implemented by employees suitably trained in handing data security breaches. It is good practice to document all of the steps taken by the data breach team.
2. Notify the relevant parties
The second step is to consider who (if anyone) needs to be notified regarding the breach. Those parties that may need to be notified, depending on the seriousness of the breach, may include:
- the ICO;
- data subjects (mandatory for telecoms providers);
- any other joint data controllers of the personal data in question;
- insurance companies;
- any regulatory authorities (e.g. FCA);
- the police or Serious Organised Crime Agency (where a suspected criminal offence has taken place including theft, fraud, computer misuse or money laundering etc.);
- trade unions;
- bank or credit card companies (who may be able to assist the individuals with reducing any risk of financial loss to individuals);
- in the case of public bodies, the Regional Local Authority, Warning, Advice and Reporting Point (WARP); and
- third-party contractors.
Notifying the ICO
There is no obligation in the DPA for you to notify the ICO following a breach. However, ICO guidance advises organisations to bring “serious data breaches” to its attention. In order to determine whether a breach is serious you will need to take into account:
- the potential detriment to the data subjects (including emotional distress and physical and financial damage);
- the volume of personal data which is involved;
- the sensitivity of the data is involved, such as financial or medical records or unencrypted personal data.
Where it is unclear whether a data breach is serious or not, the presumption should be to report the breach to the ICO. When notifying the ICO you will need to provide a description of the breach, the data that was subject to the breach and what security measures were in place.
Notifying Data Subjects
The ICO recommends that you should only notify data subjects if there is reason for doing so such as the effects of the breach can be minimised. An example of this is where the data subjects can change passwords to online accounts to prevent any further security breaches.
Financial Services Industry
If your organisation is regulated by the Financial Conduct Authority (FCA) you are required to comply with data security obligations set out in the Financial Services and Markets Act 2000 (FSMA) as well as those in the DPA and have in place adequate systems and controls to monitor, detect and prevent financial crime.
Like the DPA, FSMA does not prescribe how organisations should comply with FSMA but you are expected to take a risk-based approach to compliance. Principle 11 of the Principles for Businesses (PRIN) requires organisations to deal with their "regulators" in an open and co-operative manner and to disclose to the appropriate regulator anything relating to the firm of which the regulator would reasonably expect notice. You should also be aware of your responsibilities to notify the FCA and PRA under Chapter 15 of the Supervision Manual.
Telecoms Service Providers
Under the Privacy and Communications (EC Directive) Regulations 2003 (as amended) (PECR) requires organisations that offer public communications services must notify both the ICO and the affected data subjects of a data breach. Failure to do so could result in a fixed monetary penalty notice for £1,000.
3. Investigation and remedial action
When a breach has occurred it is important to investigate the cause of the breach with a view to preventing the same happening again. The root cause of the breach should always be established and the appropriate action taken. You should consider whether the blame for a data security breach can be afforded to a third party data processor and whether action can be taken under the contract with that third party. A breach by the data processor may entitle you to enforce audit rights, recover damages or terminate the contract.
If the source of the data security breach is an employee then further data security training maybe required or, in the case of serious breaches, disciplinary action could be brought against the offending employee.
A costly breach
Organisations that fail to comply with the DPA may be issued with monetary penalty notices up to a value of £500,000, depending on the extent of the data security breach. It should be noted that under the draft of the new Data Protection Regulation which is due to be implemented sometime in 2017/2018, the ICO is expected to be given more extensive powers to fine organisations based on a percentage of the organisation’s worldwide turnover (possibly as much as 5%).
Although notification to the ICO will not absolve your organisation of a fine, the ICO will take your organisation’s actions into account when determining the level of the fine. If your organisation is regulated by the FCA then the fines imposed are unlimited and financial institutions have received fines for several million pounds.
However, it is not just fines that will impact on your business, the reputational impact of a security breach can affect stakeholder confidence which may result in a loss of business. The ICO will not require you to make the breach public, but may in some circumstances advise that organisations do so. Some of the reputational impact may be mitigated by how effectively you act following a security breach by taking the steps outlined above.
Data security breaches are not something new for organisations but there have been a number of high profile breaches in recent years which suggest that organisations are not reacting to the level of business risk that such breaches pose. In order to minimise the impact on your organisation of a data security breach you should maintain and update robust technical and organisational processes to protect your data and plan and prepare your organisation in readiness for a breach.
As a minimum you should ensure that your data security policies and training materials are up to date and that your agreements with third party data processors provide you with adequate protection in the event that a breach occurs as a result of their processing of the personal data.