Depending on the nature of their business and the type of data they handle, UK organisations are required to comply with an array of legal requirements, best practice and industry guidelines on how they store information.
All private and public sector bodies are subject to the Data Protection Act (DPA) as a matter of course, while the Payment Card Industry Data Security Standard (PCI DSS) is applicable to any firm processing or storing credit card information.
With the DPA having been in force since 1998, most IT managers are well aware of its requirements, which cover the way in which information about living people can be legally used and handled. The DPA’s prime objective is to prevent the misuse or abuse of that data, and its six tenets outline ways in which information should be stored and protected against loss, special exemptions and modes of enforcement, and set retention periods prior to deletion.
Organisations that fail to comply with the DPA risk heavy fines. Since last April, the Information Commissioner’s Office (ICO) has had the power to issue fines of up to £500,000 for serious breaches of the act. However, despite this data breaches remain a fairly regular occurrence.
For example, two London councils – Ealing and Hounslow – were hit by ICO fines totalling £150,000 in March this year after laptops containing data pertaining to 1,700 individuals were stolen from an employee’s home. The laptops were password-protected, but the data was not encrypted, and there was no evidence to suggest the information had been accessed by anyone. Three out of four fines issued by the ICO to date have been in connection with the loss of unencrypted laptops.
While the DPA applies to every UK organisation, it is much harder to get an accurate figure of how many are affected by PCI DSS. Under PCI DSS, merchants are divided into four levels of compliance based on the volume of credit card transactions they process in any 12-month period – six million plus, 150,000 to six million, 20,000 to 150,000 and below 20,000.
The first iteration of the standard was introduced in 2004, with the revised PCI DSS 2.0 coming into force in October last year. The regulation was created by major credit card companies including American Express, MasterCard and Visa, which can dish out fines for those found to be non-compliant.
The sums are fairly modest by DPA standards at least – anything from $25,000 to $200,000 – but far more damaging to non-compliant businesses is the negative publicity that could affect sales and the prospect of being excluded from card acceptance programmes.
Whether UK companies appreciate the need to meet the PCI DSS requirements is a moot point. Research published in April by the Poneman Institute on behalf of data protection vendor Imperva, and based on a poll of 670 US and multinational companies, found that 66 per cent of respondents classed themselves as PCI DSS-compliant in 2010, compared with 50 per cent in 2009.
“The level of cynicism around PCI DSS is very high, and lots of people told us they are quite sceptical about its effectiveness,” says Imperva’s director for security strategy, Rob Rachwald.
“But there is a dramatic 14 per cent difference between the compliant (99 per cent) and non-compliant (85 per cent) groups that had only one or no breaches involving cardholder data.”
Even so, the percentage of respondents reporting a data breach actually increased, from 79 per cent in 2009 to 85 per cent in 2011 (even if compliant organisations have fewer data breaches), while 88 per cent said they did not believe, or were uncertain, that PCI DSS results in a decline in data breach incidents.
“If they were describing themselves as compliant they would have to have been audited as such by a QFS [qualified security assessor],” says Rachwald. “Some 50 per cent of those surveyed 18 months ago said they were compliant, but when asked this time, that figure rose to 66 per cent. We do not see that type of performance with other regulations, meaning PCI DSS has become one of the more effective data security regulations we have seen.”
Other regulations specifying how UK organisations handle sensitive data tend to be specific to individual industry sectors. The Privacy and Electronic Communications Regulations are applicable to companies involved in direct marketing activities, for example, while Basel II and Sarbanes-Oxley (SOX) provide rules around corporate governance and accounting (the latter only for public limited companies trading in the US). Financial Services Authority (FSA) rules are primarily designed to make sure that financial institutions are following DPA requirements correctly.
The NHS and other organisations involved in healthcare provision must also comply with additional regulations around confidentiality, access to data and records management.
No organisation can afford to sit on its laurels when it comes to data protection compliance, however – even if they manage to stay on top of UK legislation, this could change. The European Commission (EC) says the UK’s data protection and privacy laws are not adequate, and has referred a case to the European Court of Justice (ECJ) after complaints about BT’s trials of Phorm’s behavioural advertising technology, which monitored individual web browsing habits for targeted advertising purposes.
The EC has also criticised the ICO for not having enough enforcement power, while the UK has not implemented the EU Data Protection Directive, which could prove a game-changer in itself.