Picture the scene: it's almost 5pm on Friday afternoon and a key database server crashes moments before a scheduled backup. Close analysis reveals it's not accident; rogue code has infected the machine, potentially exposing hundreds of customer records. What's the first thing you do?
Despite the temptation, your first move doesn't have to be ringing the customer and telling them the bad news, said Graham Titterington, a senior analyst with Ovum: "You shouldn't rush to disclose the information; there's a chance the perpetrator doesn't know what they've taken."
UK businesses are not legally required to inform anyone if there is a breach of data security and the majority of cases never hit the headlines, said Titterington. "Unless you operate in something like legal or financial services, where you need to inform regulators when there's a problem, disclosure is down to your conscience and whether you think it's the right thing to do from a PR perspective. In some cases, going public makes you look more responsible, particularly if the information is likely to get out anyway."
This doesn't mean that small businesses don't have a legal obligation to secure client data, however; there are a number of legal issues, including the application of the Data Protection Act, explained Caroline Egan, a consultant with law firm Hammonds. "A business has responsibility for personal data that it collects on its own behalf about its employees, customers and individual suppliers under the Act," explained Egan. "Failure to comply could lead to censure, fines or to further legal action."
Under the Data Protection Act, a business is usually either a "data controller" or "data processor". Any business that chooses what information it collects, from whom and for what purposes is considered a data controller. A business that simply processes information on behalf of a third party, in accordance with instructions, is considered a data processor. For example, a business collecting customer-payment details for new orders would be a data controller, while the outsourcer using the credit-card numbers to take payments would be considered a data processor.
Legally, this distinction is important, said Egan. "As a data controller, a business must take 'appropriate organisational and technological measures to prevent the accidental or malicious loss of data, disclosure or corruption'," she said.
Businesses that are considered data controllers aren't only responsible for their own processes, Egan added: "If you hire an external contractor, you must do proper due diligence as to what security measures they take to keep information secure, and you must have a written contract with the data processor, which must include a specific obligation on them not to do anything with data other than what you ask and for them to take appropriate security measures."
The question of due diligence is becoming increasingly important, with the information commissioner recently stressing the responsibility that data controllers have in this regard, said Egan. "If someone suffers a loss because your payroll processor makes a stupid mistake and you didn't have a contract specifying the measures you wanted them to take to protect that data, then you are potentially liable," she explained. "However, if you have taken the proper steps to vet the processor and review their processes, it becomes their liability, not yours."
Egan stressed that businesses can't simply get away with vague contracts for data processors that insist on "appropriate" measures being taken. "It's important that the contract specifically spells out what measures you expect contractors to take, and that you continue to monitor the contractor through the [life of the] contract to demonstrate that you have met your own legal obligations," said Egan.
There is no set standard for what constitutes "appropriate measures", but businesses can get some guidance from the Information Commissioner's Office (ICO) and the British Standard for Information Security Management 7799, which provides a useful framework for security policies.
A good organisational security policy should start with the basics, advised Keith Arrowsmith, a partner in the technology practice at law firm HLW Commercial Lawyers. "Don't forget the simple stuff. People should be locking office doors, controlling third-party access to the building and shredding files before they are disposed of," he said. "That stuff needs to be enforced before you look at anything else."
Also, businesses should consider providing employees with guidance on what they can do with client information, added Egan. "If you have HR or customer-relations staff handling client data, it's important they understand what they can and can't do with that information," she said. For example, employees should realise that...