Data security breaches: getting prepared for breach disclosure
This article was first published in Complinet, in February 2011
For a variety of reasons, data security is fast becoming an issue of high importance for the financial services sector.
The Financial Services Authority’s focus on the prevention of financial crime has resulted in large fines being imposed on firms that fail to keep data and ICT systems safe and secure, as Nationwide, Zurich, HSBC, Norwich Union, Capita and BNP Paribas will confirm. The WikiLeaks dynamic showed that organisations’ secrets could be vulnerable to the whims of the whistleblower while the Renault story, which broke in January, was a stark reminder of the realities of industrial espionage. The ongoing News of the World phone hacking scandal has kept the privacy of communications firmly in the spotlight and current talk about “cybercrime”, including hacking, cyber-warfare and cyber-terrorism, has added an additional layer of worry and anxiety to the picture.
In so febrile an environment, where news of security breaches and data loss can quickly achieve international press and media attention, it is not surprising that the law has been changing quickly. Governments all over the world have introduced new legal frameworks intended to cause behavioural changes within organisations, so that they become sufficiently safe and secure. This “new legal framework” for security and confidentiality has been built around a number of components, which, broadly speaking, split down into three areas: the need for more transparency following failure; appropriate sanctions and penalties for those who fail; and a greater prescription of legal obligations. It has now been made very clear that if the data that we process have certain characteristics, they must be encrypted. Compliance programmes backed up by adequate policy frameworks must be put in place, supply chains must be better managed. Firms also need to think much harder about the human factors, and should introduce vetting, monitoring, training and disciplinary regimes to ensure that workers toe the line.
It is, however, the issue of transparency that causes the most problems, because the injection of transparency into a failing environment can lead to regulatory investigations, litigation, press enquiries and brand and reputational damage. If it is not obvious that an organisation is behaving badly, it is difficult for it to be criticised, investigated or sanctioned. In other words, when the law focuses properly on transparency, it can lead to organisations being forced to wash their dirty linen in public. Transparency therefore lifts the lid on the worst aspects of organisational failure, leaving no room to bury the bad news.
The new legal framework for data security has tackled these realities and is now building robust transparency mechanisms, one of which is “breach disclosure”. The idea behind breach disclosure is that organisations should tell regulators and those people affected if they suffer security breaches or data loss affecting confidential data. Breach disclosure emerged as a legal concept in California back in 2003. It spread rapidly through the statute books of America, entering Europe properly in about 2006. In 2007 it fully emerged to prominence, after the UK HM Revenue and Customs department revealed that it had lost child benefit data affecting 25 million citizens. This prompted the government to mandate a breach disclosure framework for government departments and agencies. Soon after, in March 2008, the Information Commissioner, the regulator for data protection, issued guidance which required data controllers to report incidents to his office and to those people affected in certain circumstances. The FSA’s approach was revealed in April 2008, with the publication of a landmark report on financial crime. In 2009 the European Union adopted a directive which introduced a mandatory pan-European legal framework for breach disclosure for the electronic communications sector with effect from May this year and it started work on building a sister framework for every other sector in November 2010. Many other EU member states have put their own regimes in place.
Compliance with the new regime
This will mean that, from May 2011, telecommunications operators and internet service providers will be obliged to notify the Information Commissioner (and, in certain circumstances, the individuals affected) of a data breach. Thus, financial services providers should be reviewing their agreements with telecoms operators and ISPs, as well as any outsourcing agreements, to ensure that the suppliers’ contractual commitments to fulfil their compliance obligations are sufficiently clear. In addition, it is worth engaging with suppliers to ensure there are suitable processes in place to minimise the risk that a data breach disclosure might prejudice the financial services provider (for example, where the data breach affects the financial services provider’s operational processes or its customers or may present a reputational risk or be inconsistent with its other regulatory obligations). The necessary procedures may need to be built into the service level agreements, and quality assurance/review provisions to be included in agreements. Given that this is a change of regulation, the contract may already indicate how the costs of this modification are to be allocated. Financial services firms need to introduce strategies for handling their legal obligations for transparency. They need to focus immediately on the disciplines of “incident response”, so that they can properly detect failure and react properly, giving disclosure if required. Looking further ahead, financial services providers should keep a close watch on the multi-sector data breach notification proposals as they emerge from Brussels.