[BreachExchange] Security breaches under the spotlight
Audrey McNeil
audrey at riskbasedsecurity.com
Tue May 24 20:06:47 EDT 2016
http://www.bcs.org/content/conWebDoc/56043
Suffering a security breach is a stressful and demanding time for any IT
department and any business. The immediate concerns following a breach will
revolve around how the company can contain the breach, identify the
security weakness that has been exploited and also ascertain the scale of
the breach and the potential damage to the company’s reputation.
All these matters absorb management time and resources. However, it is also
important to consider the legal repercussions of a security breach,
particularly as the clock can start ticking from the moment a breach is
identified when it comes to a company’s reporting obligations.
The Data Protection Act 1998 (DPA) and the Privacy and Communications (EC
Directive) Regulations 2003 (PECR) impose responsibilities, obligations and
duties on a company that has suffered an IT breach which has compromised
the security of its customers’ personal data. It is imperative to
appreciate what steps should be taken to mitigate legal and reputational
risk after an IT security failure.
Is the company required to disclose the breach?
The most important obligation is for companies to disclose all ‘serious
data security breaches’ to the Information Commissioners Office (ICO), the
UK’s privacy and information regulator. Specialist legal advice is often
needed to:
(1) determine whether the breach is sufficiently ‘serious’ under the DPA
and (2) manage reporting obligations and the fallout from the breach - this
is advisable whether considered ‘serious’ or not.
As a guide to analysing the seriousness of any breach, the ICO recommends
that companies assess the likely detriment to the individuals affected by
the breach (e.g. exposure to ID theft, information about their private
lives etc.) as well as the sensitivity and volume of the data involved.
Where a company is a ‘telecoms or internet service provider’ under PECR
(what this means in practice is complex, but is likely to include mobile
phone network providers, wi-fi internet providers and potentially, even
businesses which offer a public wi-fi network to customers (e.g. shopping
centres)), it must notify the ICO within 24 hours of the breach being
detected. Telecoms or internet service providers are also obliged to inform
consumers of the breach if it is likely to cause them adverse harm.
A second sector of companies who should be aware of particular reporting
obligations which apply to them are financial services providers. Companies
operating in this field should be aware of the Financial Conduct
Authority’s expectations for them to protect themselves and their customers
against cyber threats and the punishments that can be imposed for a failure
to meet these duties.
The Financial Conduct Authority has recently imposed fines of over £3
million on three banking companies for failing to ensure that they had
adequate systems to protect their customer’s confidential details from
being compromised.
The breaches identified by the Financial Conduct Authority included failing
to ensure that confidential customer information was kept in locked
cabinets rather than being left on open shelves and the sending of large
amounts of unencrypted customer details by post, which resulted in two
discs containing the details of over 180,000 policy holders being lost in
the post. In the past, other firms to have been fined by the Financial
Conduct Authority for similar information security breaches include
Nationwide (£980,000), Norwich Union (£1,260,000) and Zurich Insurance
(£2,275,000).
In addition to the risk of being fined, companies should also be aware of
reputational damage caused by a failure to disclosure an IT security
breach. Companies that disclose a security breach quickly and transparently
to customers, insurers and the wider market can lessen the impact on their
corporate image caused by a data breach.
Loss of data and the ICO
A security breach can take many forms but a common factor is the stealing
of customer records and data by a hacker or hackers. Companies to have
suffered such breaches in the past five years include Bank of Scotland,
Sony, and Staysure Insurance. The ICO can impose fines of up to £500,000
for such security breaches, together with publicly sanctioning companies it
finds to be in breach of the security obligations under the DPA, bringing
consumer scrutiny and reputational damage.
Each of the companies named above were fined or are facing fines for the
loss of sensitive data that was incurred as a result of the breach of their
IT systems by hackers, or in a recent case involving a leading supermarket,
a disgruntled employee. Examining each of the cases above gives an insight
into the ICO’s approach and reasoning when deciding the appropriate
penalties for breaches of the DPA and/or PECR in this way.
Following Staysure’s loss of the credit card details of 5,000 customers,
the ICO fined the online travel insurance company £175,000 and publicly
criticised its failure to update database software and its lack of a policy
or procedures to review and update its IT systems - all factors that led to
the relatively high fine imposed on the company.
The breach of Sony’s PlayStation Network Platform in 2011, which led to a
range of customer personal data being exposed, warranted a fine of £250,000
from the ICO although this fine could potentially have been much larger if
it were not for several mitigating factors in Sony’s defence which the ICO
took into account, including the fact that Sony did have security measures
in place, even if those measures were not sufficient in the ICO’s opinion,
and that Sony had quickly informed customers about the attack and offered
to compensate them.
Although it has the power to fine companies as a punishment for the breach
of data protection legislation, the Information Commissioner does not have
the right to award compensation to individuals who have suffered as a
result of breach of data protection legislation. However individuals can
initiate claims for unlimited damages in court where they feel a company
has breached its obligation under the DPA and/or PECR.
Future plans
Companies should be aware that the penalties for breach of the data
protection legislation, including loss of data in the manners discussed,
are likely to be increasingly severe in the future as the draft Data
Protection Regulation (the Regulation) progresses through the EU
Legislative process.
The Regulation will be binding on all EU member states when it comes into
force and will impact all organisations that process personal data. Whilst
the Regulation is still in draft form (with the final form not expected to
be agreed until the end of 2015/early 2016 and implementation in or around
2017/2018), it is currently proposed that companies in breach of data
protection legislation will be subject to fines of up to between 2-5 per
cent of their global annual turnover up to specified caps - depending on
whether the Commission, Council or Parliament view holds out.
Another key element of the Regulation is a duty on companies to report data
security breaches to the regulator ‘without undue delay’ and where
feasible, within 72 hours of becoming aware of the breach, as well as a
duty to inform the individuals affected. This will apply where the breach
is likely to present a ‘high risk’ for the rights/freedoms of the affected
individuals, e.g. financial loss, identity theft, discrimination.
Whilst there is ongoing negotiation about the trigger and timing for
mandatory data security breach reporting, that it will become compulsory in
some form is highly likely. The passing of the Regulation, with such high
potential fines, will no doubt impel companies to review their data
security measures and introduce ‘data protection by design’ models by
implementing data protection safeguards at the outset of their projects to
develop products and services.
What can you do?
The ICO regularly publishes guidance on data security breach management
which sets out the regulator’s expectations of the IT security measures it
expects from companies under the DPA. This guidance together with the ICO’s
reports of cases where it has found companies guilty of failing to comply
with data protection legislation provide illuminating guidance of the
approach that companies are expected to take and what the ICO considers to
be best practice.
Companies are expected not only to protect their personal data but also, as
part of that, to maintain plans of how to deal with and respond to
potential IT security breaches. They should adopt a proactive mindset,
linking in with other crisis management protocols they may have and
colleagues elsewhere in the organisation, such as legal, HR, and the
PR/marketing team, to consider how they would be able to respond to
breaches.
In these scenarios, the ICO and other regulators will look at the methods
and procedures that they have used in order to maintain strong, effective
and regularly updated defences against data loss and misuse.
This may include data management or protection policies that all staff
handling personal data are aware of; appropriate record
retention/destruction policies and processes; appropriate data
categorisation; regular updating of IT security mechanisms and tools
related to that categorisation; regular training and awareness raising;
audits; and procedures and plans for dealing with IT security breaches so
as to minimise loss from the breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160524/1105309a/attachment.html>
More information about the BreachExchange
mailing list