Data security & cyber risks In house lawyers forum – autumn 2013

• some recent news and developments

• difference between data protection and

data security

• what the law says

• what to do about it

• news from the ICO

• ICO fines against UK public authorities

exceed £4m for shoddy data handling

• only £526,000 from private companies –

why?

• commission regulation 611/2013

amendment to Privacy and Electronic

Communications Regs (25 August 2013)

• U.S. beefs up security measures before

possible military strike on Syria

• council employee publishes vulnerable

children's welfare details online – ICO

website

• ‘data protection’ deals with the

treatment of ‘personal data’

• in Europe, the Directive 95/46/EC

regulates

• in the UK, the Data Protection Act 1998

• ‘data security’ means securing data

using various techniques and

technologies

Monetary loss due to cyber crime

• 18.4% of the population have had their

online accounts hacked

• 8% of the which have lost money in the

past year, as a result of cyber crime

• of the population of Britain, 2.3%

reported losing more than £10,000

online

Monetary loss due to cyber crime

• with British businesses taking the largest

loss at £27.1bn

• 2013 reported typical costs of dealing

with a single incident ranging between

£35,000 and £850,000

• reputational risk

• fines

What does UK law say about data security?

• principle 7 of the Data Protection Act

• “appropriate technical and

organisational measures shall be taken

against unauthorised or unlawful

processing of personal data and against

accidental loss or destruction of, or

damage to, personal data”

• proposed EU Data Privacy Regulation

(covered last time)

• Article 4(9) includes a new definition of

‘personal data breach’ as "a breach of

security leading to the accidental or

unlawful destruction, loss, alteration,

unauthorised disclosure of, or access to,

personal data transmitted, stored or

otherwise processed"

• in addition, new detailed requirements

imposed on data controllers, as part of

the new accountability principle (Article

5(f)), to adopt policies and implement

appropriate measures to ensure and to

be able to demonstrate that he

processes personal data in compliance

with the regulation

• the measures that data controller must

take under Article 22 include

– to keep records and documentation

about his processing activities (Article

28)

– to implement data security requirements

and comply with security breach

notification obligations (Articles 30 to

32)

– to carry out data protection impact

assessments (Article 33)

– to appoint a data protection officer

(Article 35(1))

– new requirements for data protection by

design and by default (Article 23)

– new obligations imposed on data

processors (Article 26)

1. prepare for the worst

2. minimise risk

3. ensure supply chain and partners are

signed up to similar provisions

4. test it

• imagine…

• you’ve lost: customer data, supplier

details, forecast sales, market sensitive

information

• what would you need to do next?

• assign roles - who will

– deal with the press, the public, the

regulators?

– deal with employees / emergency

response?

– fix the problem – IT / employees?

– put business continuity plans into action?

– deal with legal claims?

– check your insurance cover?

• have a policy (internally)

– passwords, encryption, processes

– identify ‘high risk’ data (restrict access?)

– not just a firewall – shut the doors inside

the building (not just those on the

outside)

– keep access logs

• ensure that your suppliers comply with

similar terms

– policies & standards (ISO 27001)

– notification of breach

– co-operation and assigned roles

• test / audit your process and those of

your suppliers

• the worst breach is the one you’ve not

found out about yet

• updated data protection regulatory

action policy

• FOIA dataset provisions from 1

September 2013: new fees regulations

and ICO guidance

• consultation on conducting privacy

impact assessments code of practice

• subject access request code of practice

• surveillance camera code of practice

comes into force

• Ofcom and ICO action plan on nuisance

calls

Get in touch if you have any questions or

would like further information.

t +(0)115 976 6108

e helena.wootton@brownejacobson.com