Data breaches – reducing the risks and mitigating the consequences
Recent figures published by the Information Commissioner's Office (ICO) show that local authorities continue to encounter difficulties with data protection, recording the second highest number of personal data breaches last year - a total of 233 incidents.
In this article, Matthew Dyer discusses some of the key steps that can be taken to reduce the risks of a breach occurring and mitigate the impact if they do.
What does data protection law require?
The Data Protection Act 1998 (DPA) requires data controllers to take “appropriate technical and organisational security measures... against unauthorised or unlawful processing of personal data and accidental loss or destruction, or damage to, any personal data”.
Why does it matter?
The ICO has the power to issue fines of up to £500,000 for non-compliance. Indeed, since 2010 it has issued fines totalling over £1.5 million to local authorities. The new EU General Data Protection Regulation, soon to replace the DPA, will significantly increase the level of fines; the most recent draft suggests that fines will be capped at 2% of annual turnover, or €1m, whichever is the higher. This remains subject to debate, with the EU Parliament seeking maximum fines of 5% of annual turnover or €100m.
There is also a significant administrative cost attributable to responding to a data breach - it often requires the investment of substantial internal resources and it may be necessary to engage external professionals to help. Added to this, if an individual has suffered damage or distress as a result of the breach, they may be able to claim compensation (this has been made easier by a recent Court of Appeal decision).
Last but not least, a serious data breach is almost guaranteed to reach the headlines and lead to reputational damage, both to the organisation itself and its management.
What do you need to consider?
The ICO accepts that human error is inevitable, however they expect you to have taken steps to minimise the risk of human error occurring and the damage that will be caused if it does.
It is essential that you embed compliance measures within every part of your organisation. You should use a combination of approaches which reinforce each other. For example, policies are only valuable if you have appropriate processes in place to train your employees to follow them, and employees may only be able to follow them if they are provided with the requisite technology to do so.
Adopt a risk-based approach to deciding what level of security is appropriate. Security measures should be commensurate to the sensitivity of the data and the harm that could be caused by its disclosure. In addition to the DPA's definition of “sensitive data”, take a common sense approach to what is “sensitive” – if it’s confidential or could cause damage or distress if disclosed then it should be protected accordingly.
We’ve set out below some of the key steps that you should consider taking.
Control access to data. For example, by using physical access restrictions, endpoint controls which restrict the use of removable devices, and password protection.
Employ intrusion detection systems (such as firewalls and alarms) and access monitoring (such as CCTV and activity monitoring software) to protect data and allow you to record when it has been accessed, and by whom.
Encrypt data at all times, both when in transit across a network (for example, using a Virtual Private Network) and when at rest. Ensure that portable devices, such as laptops and USBs, are also encrypted. The ICO has indicated that, in the event of a data breach, a failure to use encryption will been seen as an aggravating factor in any subsequent regulatory action.
Provide suitable lockable bags for transporting paper records outside of the office.
Ensure that communications sent by post or courier reach the intended recipient securely (for example, by the use of a registered delivery service requiring a signature from the recipient).
Maintain software and hardware up to date and promptly install software patches to resolve known security vulnerabilities. Remove redundant software and hardware from your systems.
Policies and processes
Introduce a data protection policy, explaining what your obligations are under the DPA and the steps that an employee must take when handling personal data, and an information security policy to govern the use and monitoring of IT systems and equipment.
Train employees to act in accordance with your policies and the requirements of the DPA. To ensure that data protection remains at the forefront of your employees’ minds, impose compulsory induction and periodic refresher training tailored towards specific roles. Monitor attendance so that you can identify where training is required and, in the event of a breach, demonstrate to the ICO that it has been provided.
Assign responsibility for information governance to senior individuals within the organisation, such as a Data Protection Officer and Information Asset Owners (with responsibility for specific categories of data), to manage and supervise compliance with specific data security requirements.
Conduct periodic testing of your security infrastructure (for example, penetration testing and vulnerability assessments) to identify security weakness and take action to strengthen security where necessary.
Recent guidance issued by the ICO recommends that paper records should only be taken out of a secure office environment where strictly necessary, not where it is simply ‘useful’ or ‘convenient’ to do so (for example, to read on the commute home). Paper records should be transported directly to and from their destination; they should not be taken along to other locations or left unattended.
Contracts with third parties which involve the processing of personal data on your behalf must, as a minimum, be in writing and require the processor to process the data in accordance with your instructions and in compliance with the security obligations in the DPA. The ICO recommends imposing detailed obligations on processors and monitoring their compliance with those obligations. You will remain responsible for third party processors’ actions so make sure that you are satisfied by the guarantees offered by them.
Some examples of where it’s gone wrong...
The most common breaches reported to the ICO involve the loss or theft of personal data, or the disclosure of personal data in error. We’ve provided some case studies below.
Responding to Subject Access Requests
Facts: A council employee disclosed highly sensitive personal data in response to a subject access request. A large amount of the data did not relate to the data subject and they were not entitled to receive it. There had been attempts to redact some parts of the documents but the text could still be seen underneath the redaction.
ICO’s concerns: The employee did not have appropriate supervision and it was unclear whether they had received any training.
Comments: It is important that employees are provided with sufficient training and guidance to help them identify subject access requests and disclose the appropriate data in response.
Working from home
Facts: A council employee was working from home on a personal computer and saved work documents containing sensitive personal data from a USB stick onto her computer. The computer had a file transfer program installed which was unintentionally activated, uploading the work documents onto the internet, where they remained for over 3 months.
ICO’s concerns: The council’s data protection policy was unclear and impractical. The council relied on employees to adhere to the council’s home working policy (which required sensitive data to have ‘adequate safeguards’ applied to it) without providing the technological infrastructure to achieve this. There were also no controls in place to prevent employees from using unencrypted USB sticks.
Comments: If you want to allow home-working or the use of personal devices, be wary that you will have limited control over the security offered by those devices. You will need to provide employees with the means to ensure security, for example by providing secure remote access to your network or an encrypted portable device on which they can save their work. You should also operate a robust bring-your-own-device and home working policy so that employees clearly understand their responsibilities and any minimum security requirements for their devices.
Loss/theft of data
Facts: A council employee was working with sensitive personal data contained on an unencrypted USB stick whilst using a laptop that was connected to the council's network. When leaving the office, the employee forgot to remove the USB stick. When they returned to retrieve it, it was gone.
ICO’s concerns: The council failed to notify the data subjects of the incident despite the recommendations of its own internal risk assessment. The council had introduced an information security policy which stated that portable devices must be encrypted, however it had continued to allow staff to use unencrypted devices.
Comments: Policies will have little value if they are not actively enforced. If a breach is likely to cause harm, it may be appropriate to inform the data subjects of the breach.
What to do if a breach occurs
In the event that a breach does occur, it’s important to react appropriately. You should have a data breach response policy which appoints a ‘response team’, including appropriate personnel (such as individuals from the IT and legal departments) and at least one senior representative who can make important decisions on your behalf. The policy should set out the steps that must be taken, which should include executing a containment and recovery plan, assessing the ongoing risks associated with the breach and any harm suffered, identifying who should be notified of the breach, and evaluating the causes and your response to it (both immediately and in relation to the long-term action taken).
By implementing a breach response policy effectively, you can minimise the damage caused by the breach and demonstrate both to the ICO and the wider public that you have taken the breach seriously, responded to it appropriately, and taken steps to prevent a reoccurrence.
For further information please contact Matthew.Dyer@dwf.co.uk, Corporate Services on 0121 200 0433
This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.