Security Definitive Guide pt3: Damage limitation

What are the key steps an organisation needs to take in the immediate aftermath of a data breach?
Organisations should have in place a data security policy and a breach management team that can react swiftly and decisively when a breach is discovered or suspected. The team should include at least one senior officer to expedite the swift decision-making that may be necessary to limit the impact of the breach. After the breach is investigated and steps have been taken to mitigate the immediate damage, the organisation needs to be able to identify any relevant “data controllers” that may be affected by the breach. Under the Data Protection Act 1998 (DPA), a data controller is the party which determines the purpose for and manner in which personal data is processed. It may not always be obvious to whom this applies, for example, in circumstances where public bodies process data for purposes determined by another public body.

The organisation then has to consider who needs to be notified of the breach. The Information Commissioner’s Office should be notified in the event of a serious data security breach, such as one that would cause significant threat of harm to individuals, or where a large volume of data or sensitive data is involved. It may be helpful or commercially sensible to notify other data controllers, although organisations are not obliged to do so under the DPA. Insurers may also require notification under relevant insurance policies. Generally speaking, data subjects need not be notified of the breach unless there is a good reason for doing so, for example if users need to change their passwords.

Relevant contracts should also be checked. If the breach has been caused by a third-party data controller or processor – for example, a cloud service provider – the organisation should pay particular attention to the adequacy of security obligations for the purposes of compliance with Principle 7 of the DPA, the “security principle”. Does the data controller or data processor have a potential claim or any liability under the contract? Do any other provisions apply to the breach, for example in relation to notification and liability?

Disciplinary action against culpable employees will often be appropriate depending on the internal policies of the organisation, the adequacy of the training received by the employee or whether there has been any breach of statute that could justify immediate suspension or summary dismissal.
Finally, a review of security procedures and contractual safeguards should take place in light of the breach and if these are not adequate to comply with the security principle, consideration should be given to how to improve them.

How can I ensure that overseas suppliers handle my company’s data in compliance with the UK Data Protection Act?
The DPA imposes obligations on data controllers in relation to personal data. These obligations relate to the way in which personal data is collected, stored and processed. There are two key obligations in relation to third-party processors. The first is the obligation to ensure that all personal data is kept secure and that appropriate technical and organisational measures are put in place to protect the integrity of that data. This obligation has to be imposed on all data processors by means of a written contract. The second key obligation is to ensure that personal data must not be exported outside the European Economic Area (EEA) unless certain safeguards have been put in place.

So what do you as a data controller have to do? In all cases, you must undertake due diligence in relation to your third-party processors. You need to satisfy yourself that the processor has appropriate security in place. It is no longer sufficient merely to enter into a data processor agreement. Rather, you have to take active steps to review and keep under review the security measures put in place by your processor.

In addition, you need to ensure that you know where your data is being held and processed. It sounds obvious, but this can be surprisingly difficult in this age of offshore help and restore services, and where organisations entrust their data to cloud service providers using multiple datacentres around the world. The obligation imposed on you is clear. If the data is going to be processed outside the EEA, you must ensure that it is done in a country approved by the EU as having adequate data protection laws, of which there are precious few. In the US a processor can get around this obstacle by registering under the Safe Harbor regime. If the processor is neither based in a country approved by the EU nor registered under the Safe Harbor regime, all is not lost. The EU has developed model clauses for use in such circumstances.

The EU model clauses are used to create a contract with the foreign data processor that imposes stringent obligations in relation to the way in which the personal data is to be processed and the security measures to be put in place. However, this does not relieve you of your obligation to review the processor’s security measures and to keep those measures under review. At present, the model clauses are drafted in such a way that the data controller has to enter into an agreement with each of the data processors direct. This is shortly due to change and existing data processors will be able to appoint sub-processors using model clauses. This is a welcome change, but you will still need to ensure that you know where your data is being stored and processed. In this respect, you need to ask the data processor whether it uses offshore entities to process the data and whether it uses offshore datacentres. In any event, you need to restrict your data processor’s ability to transfer data offshore without your express consent.