Picture the scene: it's almost 5pm on Friday afternoon and a key database server crashes moments before a scheduled backup. Close analysis reveals it's not accident; rogue code has infected the machine, potentially exposing hundreds of customer records. What's the first thing you do?
Despite the temptation, your first move doesn't have to be ringing the customer and telling them the bad news, said Graham Titterington, a senior analyst with Ovum: "You shouldn't rush to disclose the information; there's a chance the perpetrator doesn't know what they've taken."
UK businesses are not legally required to inform anyone if there is a breach of data security and the majority of cases never hit the headlines, said Titterington. "Unless you operate in something like legal or financial services, where you need to inform regulators when there's a problem, disclosure is down to your conscience and whether you think it's the right thing to do from a PR perspective. In some cases, going public makes you look more responsible, particularly if the information is likely to get out anyway."
This doesn't mean that small businesses don't have a legal obligation to secure client data, however; there are a number of legal issues, including the application of the Data Protection Act, explained Caroline Egan, a consultant with law firm Hammonds. "A business has responsibility for personal data that it collects on its own behalf about its employees, customers and individual suppliers under the Act," explained Egan. "Failure to comply could lead to censure, fines or to further legal action."
Under the Data Protection Act, a business is usually either a "data controller" or "data processor". Any business that chooses what information it collects, from whom and for what purposes is considered a data controller. A business that simply processes information on behalf of a third party, in accordance with instructions, is considered a data processor. For example, a business collecting customer-payment details for new orders would be a data controller, while the outsourcer using the credit-card numbers to take payments would be considered a data processor.
Legally, this distinction is important, said Egan. "As a data controller, a business must take 'appropriate organisational and technological measures to prevent the accidental or malicious loss of data, disclosure or corruption'," she said.
Businesses that are considered data controllers aren't only responsible for their own processes, Egan added: "If you hire an external contractor, you must do proper due diligence as to what security measures they take to keep information secure, and you must have a written contract with the data processor, which must include a specific obligation on them not to do anything with data other than what you ask and for them to take appropriate security measures."
The question of due diligence is becoming increasingly important, with the information commissioner recently stressing the responsibility that data controllers have in this regard, said Egan. "If someone suffers a loss because your payroll processor makes a stupid mistake and you didn't have a contract specifying the measures you wanted them to take to protect that data, then you are potentially liable," she explained. "However, if you have taken the proper steps to vet the processor and review their processes, it becomes their liability, not yours."
Egan stressed that businesses can't simply get away with vague contracts for data processors that insist on "appropriate" measures being taken. "It's important that the contract specifically spells out what measures you expect contractors to take, and that you continue to monitor the contractor through the [life of the] contract to demonstrate that you have met your own legal obligations," said Egan.
There is no set standard for what constitutes "appropriate measures", but businesses can get some guidance from the Information Commissioner's Office (ICO) and the British Standard for Information Security Management 7799, which provides a useful framework for security policies.
A good organisational security policy should start with the basics, advised Keith Arrowsmith, a partner in the technology practice at law firm HLW Commercial Lawyers. "Don't forget the simple stuff. People should be locking office doors, controlling third-party access to the building and shredding files before they are disposed of," he said. "That stuff needs to be enforced before you look at anything else."
Also, businesses should consider providing employees with guidance on what they can do with client information, added Egan. "If you have HR or customer-relations staff handling client data, it's important they understand what they can and can't do with that information," she said. For example, employees should realise that...
...data cannot be copied or shared; in some cases, it may be possible to use software to prevent such actions. "You could also flag up to people that, if they pass on information, they could be criminally liable," said Egan.
Training is vital to ensure that employees don't put client data at risk, even accidentally, said Titterington: "Most data breaches come from bad staff decisions and usually they are accidental." For example, a common trick of thieves is to contact a call centre pretending to be someone else and browbeat the agent into revealing confidential account information. "That sort of social engineering can easily be addressed with good training," he said.
In terms of technological measures to protect client data, most of the systems should already be in place, Titterington said. Up-to-date, effective antivirus and intrusion-detection software, together with network monitoring and clear acceptable-use policies can go a long way towards protecting sensitive information. "You should probably also look at locking down information by restricting what can be downloaded or removed via mobile devices," he added. "And check potential weak spots; it's very easy for information to be attacked through internet-connected applications using something like an SQL injection."
Arrowsmith advised also rolling out other security systems to ensure that users are protecting their computers with strong passwords that are regularly changed; making sure that information is encrypted at every stage; making certain unused terminals are locked; and employing software to back up data and monitor all network activity. "Employees should be absolutely clear what the policy is and how it is enforced," said Arrowsmith.
If a data breach does occur, the ICO does not itself have the power to bring prosecutions, but individuals who suffer loss because of the breach may have a case to bring, said Eldin Rammell, managing director of Rammell Consulting, a consulting firm specialising in information management.
"If someone could prove there had been a loss which could be directly attributed to the data leak and that the data controller was negligent in not preventing the leak, there could be a civil case for damages," said Rammell. "But, if the data controller had robust procedures in place to prevent data loss and the breach was down to a fraudulent employee, it would be difficult to prove that the employer was negligent. If there were no such procedures, a case would be easier to prosecute."
Other legal issues around data breaches include a potential breach of confidentiality, an infringement of copyright and a breach of any number of contractual or regulatory requirements, said Arrowsmith. "As well as a statutory right to claim, there may well be an opportunity for an individual to claim for damages for a breach of contract, confidentiality or copyright, all of which could lead to a cash payment, the size of which would depend on the nature of the loss that customer has suffered. For a small business, obviously this could be catastrophic."
Even the best policies and technologies can't protect you against every eventuality, and that's where a good insurance policy can come in useful, said Arrowsmith. But it's worth remembering that insurers will only pay out if you can show that you have the best possible policies and systems in place to minimise the risks your business faces.
Tips for protecting customer data
- Appoint someone in the company to be responsible for all data-protection and security issues, whether it's HR or customer data
- Go to the ICO website and read the good practice notes, which are particularly helpful for SMEs
- Check whether you need to register with the information commissioner
- Remember that, if you are doing something with data on behalf of someone else who controls the data, then your legal position will depend on what it says in the contract. The flip side of this is that, if you outsource any activity so that others are processing data on your behalf, as the original data controller you are still responsible to the ultimate subject of that data
- Make sure your data is safely gathered and stored. Old data should be reviewed and deleted where appropriate
- Make sure staff are trained and understand that unauthorised disclosure of data is an offence
- Be careful if your business extends outside the EU. There are different rules on data security abroad and your responsibility to disclose data leaks will be different in, for example, the US