Data breach notification: A legal requirement?

The Data Protection Act, however, does not contain a specific breach-notification obligation. Clearly, the absence of a specific requirement sends mixed messages; the law is taking a tougher approach to data security, yet it does not require the same steps that are now essentially mandatory in the United States.

There have been tectonic movements in the breach notification landscape. In March 2008, for example, the Information Commissioner's Office -- U.K.'s independent regulator for data protection -- published new guidance on the situations in which a data controller is expected to notify his office of a security breach. Although the legal basis of th...

RELATED CONTENT Compliance and regulations Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits Tips to achieve PCI compliance How to choose an external compliance auditor Using a privacy impact assessment template for DPA compliance PCI DSS checklist: Mistakes and problem areas to avoid The elements of a compliance-oriented architecture Wireless network guidelines for PCI DSS compliance PCI DSS requirement: Implement strong access control procedures How to choose full disk encryption for laptop security, compliance Data Breach Incident Management and Recovery Make PCI DSS compliance easier by reducing scope, outsourcing data Full disk encryption: Safer and easier than file and folder encryption PCI DSS requirements: Get ready for stricter enforcement, fines Data breach costs continue to rise in 2009, Ponemon study finds Data Protection Act breach could cost companies 500,000 pounds Jericho Forum to provide customers with good security questions to ask Verizon report goes deep inside data breach investigations Insider threat detection still a challenge for employers Layoffs prompt insider threat fears, cybersecurity survey finds ArcSight boosts system log management capabilities IT Security Frameworks and Standards How to develop a culture of security in the enterprise ICO issues draft guidelines for personal information online Using a privacy impact assessment template for DPA compliance Benefits of ISO 27001 and ISO 27002 certification for your enterprise How to write an information security policy The elements of a compliance-oriented architecture New products aim to streamline compliance efforts A helpful BSI data protection standard for DPA compliance How project management maturity models can reveal security strength Consider a compliance-driven security framework

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Financial Services Authority  (SearchSecurityUK.com) IISP (Institute of Information Security Professionals)  (SearchSecurityUK.com) ISO 27001  (SearchSecurityUK.com) Jericho Forum  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

e guidance is unclear, the fact that the regulatory body desires the reporting of breaches is bound to have great influence over whether incidents are reported.

The ICO takes a quantitative and qualitative approach to breach notification. The commissioner's office states that there should be a presumption to report "where a large volume of personal data is concerned and there is a real risk of individuals suffering some harm." As a "rule of thumb," the ICO also says that a large volume of data is "any collection containing information about 1,000 or more individuals." The government has taken the same line as the commissioner and has implemented a mandatory breach-notification rule for the public sector, a position that is shared by the Financial Services Authority. However, the question remains: is there a legal obligation to report security breaches?

Although the Data Protection Act is silent on breach reporting, it does contain provisions that are indicative of the existence of an obligation to report. For example, the obligation to register as a data controller contains the requirement to keep registrations up to date, which could be interpreted to extend as far as mandating the notification of security breaches. However, the real answer to the question will not be found in the DPA, but rather in the Human Rights Act 1998.

The HRA has transposed the European Convention on Human Rights into U.K. domestic law. One of these rights is the right to privacy. Due to the way in which the HRA operates, the courts are obliged to have regard to the right to privacy in everything that they do. This means that they are obliged to protect privacy in any cases that come before them where a privacy issue is raised. Consequently, a person who suspects that a data controller has suffered a security breach stands good prospects of obtaining an order for disclosure of the details from the courts, relying upon the right to privacy. The HRA should fill the gaps left by the DPA; after all, it would be an unfortunate situation if the law protected data at all steps leading up to a security breach, but not afterwards, since it is after a breach that data and individuals need the full protection of the law.

Some suggest that the law should be clarified by Parliament, although clarification at the EU level seems to be more likely as a first step, due to the enhanced appetite of the European Commission and the European Parliament for mandatory breach notification rules . Following proposals for a new directive published by the commission in November 2007, the European Commission, Council and Parliament are now engaged in a debate about the introduction of a formal breach-reporting obligation for the electronic communications sector.

The U.K. government and the Information Commissioner have displayed a lesser appetite for the introduction of formal rules by legislation. Instead, they prefer the law to develop at regulatory level, with the result that the commissioner's rules on the reporting of breaches to his office are now in the ascendance.

The detail of breach notification laws will remain uncertain in the short to medium term, but in the the longer term, the introduction of formal rules by legislation seems to be very likely. Pending the introduction of legislation, data controllers should remain alert to further updating of the law, making necessary adjustments to their security policies as appropriate.

About the author:
Stewart Room, Barrister and Solicitor, is a partner in the Technology Law Group at Field Fisher Waterhouse LLP. He is named as one of the U.K.'s leading data protection lawyers in legal directory Chambers UK and in October 2008 he was awarded the prestigious prize of "Legal Innovator of the Year" by the Financial Times, for his work with major IT companies. He is the president of the National Association of Data Protection Officers and the author of Data Protection and Compliance in Context (December 2006), Email: Law Practice and Compliance (to be published in December 2008) and Data Security Law and Practice (to be published in July 2009). He is a visiting lecturer on information law at various universities.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.