Home > Information Security Tips > Compliance and regulations > Data breach notification: A legal requirement?
Security UK Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

COMPLIANCE AND REGULATIONS

Data breach notification: A legal requirement?


Stewart Room, Contributor
12.10.2008
Rating: -4.50- (out of 5)


Security UK Tips and Expert Advice
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


Are organisations required to disclose a security breach to affected persons or to regulators? This is a vexed question; on the one hand it is widely accepted that it is after a security breach that a person's data are most vulnerable to abuse and misuse and therefore they need the protection of breach notification rules.

The Data Protection Act, however, does not contain a specific breach-notification obligation. Clearly, the absence of a specific requirement sends mixed messages; the law is taking a tougher approach to data security, yet it does not require the same steps that are now essentially mandatory in the United States.

There have been tectonic movements in the breach notification landscape. In March 2008, for example, the Information Commissioner's Office -- U.K.'s independent regulator for data protection -- published new guidance on the situations in which a data controller is expected to notify his office of a security breach. Although the legal basis of the guidance is unclear, the fact that the regulatory body desires the reporting of breaches is bound to have great influence over whether incidents are reported.

The ICO takes a quantitative and qualitative approach to breach notification. The commissioner's office states that there should be a presumption to report "where a large volume of personal data is concerned and there is a real risk of individuals suffering some harm." As a "rule of thumb," the ICO also says that a large volume of data is "any collection containing information about 1,000 or more individuals." The government has taken the same line as the commissioner and has implemented a mandatory breach-notification rule for the public sector, a position that is shared by the Financial Services Authority. However, the question remains: is there a legal obligation to report security breaches?

Although the Data Protection Act is silent on breach reporting, it does contain provisions that are indicative of the exist


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


RELATED CONTENT
Compliance and regulations
Basel II risk management and implementation guide
Meet Basel II operational risk, compliance requirements with BS 25777
How to achieve PCI DSS compliance in a midmarket business
Preparing enterprise Wi-Fi networks for PCI compliance
PCI compensating controls: Loopholes or lifesavers?
A preview of PCI virtualization specifications
Information security forecast: Security management in 2009
The power of the ICO: Liabilities for a data security breach
Using ISO 27000 to comply with Data Protection Act principles
Latest U.K. data security laws get tough on fines, PETs and policies

Business Continuity and Disaster Recovery
Information security recruitment freezes as security staffs sit tight
EMC adds configuration management with Configuresoft acquisition
CISSP Essentials training: Domain 10, Operations Security
CISSP Essentials training: Domain 7, Business Continuity
Firms muddle security breach response, expert says
The opportunities and risks of cloud computing services
Data breach costs: £60 per record, says Ponemon
Recovery plans essential for preventing data loss disasters
Do data security breach notification laws work?
Reports show security awareness and training are still lagging

IT Security Standards
CSA, Jericho Forum unite on cloud computing security message
When IT security costs are cut, which security product is a must?
What considerations should be made when outsourcing IT infrastructure?
How to apply government data classification standards to your company
Basel II risk management and implementation guide
Meet Basel II operational risk, compliance requirements with BS 25777
Q&A: Google to defend cloud computing security
CISSP Essentials training: Domain 4, Security Models and Architecture
CISSP Essentials training: Domain 8, Law, Investigations and Ethics
Firm Basel II risk management requirements needed now more than ever

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
Financial Services Authority  (SearchSecurityUK.com)
IISP (Institute of Information Security Professionals)  (SearchSecurityUK.com)
ISO 27001  (SearchSecurityUK.com)
Jericho Forum  (SearchSecurityUK.com)
UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


ence of an obligation to report. For example, the obligation to register as a data controller contains the requirement to keep registrations up to date, which could be interpreted to extend as far as mandating the notification of security breaches. However, the real answer to the question will not be found in the DPA, but rather in the Human Rights Act 1998.

The HRA has transposed the European Convention on Human Rights into U.K. domestic law. One of these rights is the right to privacy. Due to the way in which the HRA operates, the courts are obliged to have regard to the right to privacy in everything that they do. This means that they are obliged to protect privacy in any cases that come before them where a privacy issue is raised. Consequently, a person who suspects that a data controller has suffered a security breach stands good prospects of obtaining an order for disclosure of the details from the courts, relying upon the right to privacy. The HRA should fill the gaps left by the DPA; after all, it would be an unfortunate situation if the law protected data at all steps leading up to a security breach, but not afterwards, since it is after a breach that data and individuals need the full protection of the law.

Some suggest that the law should be clarified by Parliament, although clarification at the EU level seems to be more likely as a first step, due to the enhanced appetite of the European Commission and the European Parliament for mandatory breach notification rules . Following proposals for a new directive published by the commission in November 2007, the European Commission, Council and Parliament are now engaged in a debate about the introduction of a formal breach-reporting obligation for the electronic communications sector.

The U.K. government and the Information Commissioner have displayed a lesser appetite for the introduction of formal rules by legislation. Instead, they prefer the law to develop at regulatory level, with the result that the commissioner's rules on the reporting of breaches to his office are now in the ascendance.

The detail of breach notification laws will remain uncertain in the short to medium term, but in the the longer term, the introduction of formal rules by legislation seems to be very likely. Pending the introduction of legislation, data controllers should remain alert to further updating of the law, making necessary adjustments to their security policies as appropriate.

About the author:
Stewart Room, Barrister and Solicitor, is a partner in the Technology Law Group at Field Fisher Waterhouse LLP. He is named as one of the U.K.'s leading data protection lawyers in legal directory Chambers UK and in October 2008 he was awarded the prestigious prize of "Legal Innovator of the Year" by the Financial Times, for his work with major IT companies. He is the president of the National Association of Data Protection Officers and the author of Data Protection and Compliance in Context (December 2006), Email: Law Practice and Compliance (to be published in December 2008) and Data Security Law and Practice (to be published in July 2009). He is a visiting lecturer on information law at various universities.

Rate this Tip
To rate tips, you must be a member of SearchSecurity.co.UK.
Register now to start rating these tips. Log in if you are already a member.




DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



UK Data Security Solutions: Data Privacy, Identity Theft, Data Loss
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2008 - 2009, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts