data security and cyber risks - in house lawyers forum 2013, richard nicholas
TRANSCRIPT
• some recent news and developments
• difference between data protection and
data security
• what the law says
• what to do about it
• news from the ICO
• ICO fines against UK public authorities
exceed £4m for shoddy data handling
• only £526,000 from private companies –
why?
• commission regulation 611/2013
amendment to Privacy and Electronic
Communications Regs (25 August 2013)
• U.S. beefs up security measures before
possible military strike on Syria
• council employee publishes vulnerable
children's welfare details online – ICO
website
• ‘data protection’ deals with the
treatment of ‘personal data’
• in Europe, the Directive 95/46/EC
regulates
• in the UK, the Data Protection Act 1998
• ‘data security’ means securing data
using various techniques and
technologies
Monetary loss due to cyber crime
• 18.4% of the population have had their
online accounts hacked
• 8% of the which have lost money in the
past year, as a result of cyber crime
• of the population of Britain, 2.3%
reported losing more than £10,000
online
Monetary loss due to cyber crime
• with British businesses taking the largest
loss at £27.1bn
• 2013 reported typical costs of dealing
with a single incident ranging between
£35,000 and £850,000
• reputational risk
• fines
What does UK law say about data security?
• principle 7 of the Data Protection Act
• “appropriate technical and
organisational measures shall be taken
against unauthorised or unlawful
processing of personal data and against
accidental loss or destruction of, or
damage to, personal data”
• proposed EU Data Privacy Regulation
(covered last time)
• Article 4(9) includes a new definition of
‘personal data breach’ as "a breach of
security leading to the accidental or
unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to,
personal data transmitted, stored or
otherwise processed"
• in addition, new detailed requirements
imposed on data controllers, as part of
the new accountability principle (Article
5(f)), to adopt policies and implement
appropriate measures to ensure and to
be able to demonstrate that he
processes personal data in compliance
with the regulation
• the measures that data controller must
take under Article 22 include
– to keep records and documentation
about his processing activities (Article
28)
– to implement data security requirements
and comply with security breach
notification obligations (Articles 30 to
32)
– to carry out data protection impact
assessments (Article 33)
– to appoint a data protection officer
(Article 35(1))
– new requirements for data protection by
design and by default (Article 23)
– new obligations imposed on data
processors (Article 26)
1. prepare for the worst
2. minimise risk
3. ensure supply chain and partners are
signed up to similar provisions
4. test it
• imagine…
• you’ve lost: customer data, supplier
details, forecast sales, market sensitive
information
• what would you need to do next?
• assign roles - who will
– deal with the press, the public, the
regulators?
– deal with employees / emergency
response?
– fix the problem – IT / employees?
– put business continuity plans into action?
– deal with legal claims?
– check your insurance cover?
• have a policy (internally)
– passwords, encryption, processes
– identify ‘high risk’ data (restrict access?)
– not just a firewall – shut the doors inside
the building (not just those on the
outside)
– keep access logs
• ensure that your suppliers comply with
similar terms
– policies & standards (ISO 27001)
– notification of breach
– co-operation and assigned roles
• test / audit your process and those of
your suppliers
• the worst breach is the one you’ve not
found out about yet
• updated data protection regulatory
action policy
• FOIA dataset provisions from 1
September 2013: new fees regulations
and ICO guidance
• consultation on conducting privacy
impact assessments code of practice
• subject access request code of practice
• surveillance camera code of practice
comes into force
• Ofcom and ICO action plan on nuisance
calls
Get in touch if you have any questions or
would like further information.
t +(0)115 976 6108