Data breach notification: A legal requirement?

The Data Protection Act, however, does not contain a specific breach-notification obligation. Clearly, the absence of a specific requirement sends mixed messages; the law is taking a tougher approach to data security, yet it does not require the same steps that are now essentially mandatory in the United States.

There have been tectonic movements in the breach notification landscape. In March 2008, for example, the Information Commissioner's Office -- U.K.'s independent regulator for data protection -- published new guidance on the situations in which a data controller is expected to notify his office of a security breach. Although the legal basis of the guidance is unclear, the fact that the regulatory body desires the reporting of breaches is bound to have great influence over whether incidents are reported.

The ICO takes a quantitative and qualitative approach to breach notification. The commissioner's office states that there should be a presumption to report "where a large volume of personal data is concerned and there is a real risk of individuals suffering some harm." As a "rule of thumb," the ICO also says that a large volume of data is "any collection containing information about 1,000 or more individuals." The government has taken the same line as the commissioner and has implemented a mandatory breach-notification rule for the public sector, a position that is shared by the Financial Services Authority. However, the question remains: is there a legal obligation to report security breaches?

Although the Data Protection Act is silent on breach reporting, it does contain provisions that are indicative of the exist

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance and regulations Basel II risk management and implementation guide Meet Basel II operational risk, compliance requirements with BS 25777 How to achieve PCI DSS compliance in a midmarket business Preparing enterprise Wi-Fi networks for PCI compliance PCI compensating controls: Loopholes or lifesavers? A preview of PCI virtualization specifications Information security forecast: Security management in 2009 The power of the ICO: Liabilities for a data security breach Using ISO 27000 to comply with Data Protection Act principles Latest U.K. data security laws get tough on fines, PETs and policies Business Continuity and Disaster Recovery Information security recruitment freezes as security staffs sit tight EMC adds configuration management with Configuresoft acquisition CISSP Essentials training: Domain 10, Operations Security CISSP Essentials training: Domain 7, Business Continuity Firms muddle security breach response, expert says The opportunities and risks of cloud computing services Data breach costs: £60 per record, says Ponemon Recovery plans essential for preventing data loss disasters Do data security breach notification laws work? Reports show security awareness and training are still lagging IT Security Standards CSA, Jericho Forum unite on cloud computing security message When IT security costs are cut, which security product is a must? What considerations should be made when outsourcing IT infrastructure? How to apply government data classification standards to your company Basel II risk management and implementation guide Meet Basel II operational risk, compliance requirements with BS 25777 Q&A: Google to defend cloud computing security CISSP Essentials training: Domain 4, Security Models and Architecture CISSP Essentials training: Domain 8, Law, Investigations and Ethics Firm Basel II risk management requirements needed now more than ever

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Financial Services Authority  (SearchSecurityUK.com) IISP (Institute of Information Security Professionals)  (SearchSecurityUK.com) ISO 27001  (SearchSecurityUK.com) Jericho Forum  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ence of an obligation to report. For example, the obligation to register as a data controller contains the requirement to keep registrations up to date, which could be interpreted to extend as far as mandating the notification of security breaches. However, the real answer to the question will not be found in the DPA, but rather in the Human Rights Act 1998.

The HRA has transposed the European Convention on Human Rights into U.K. domestic law. One of these rights is the right to privacy. Due to the way in which the HRA operates, the courts are obliged to have regard to the right to privacy in everything that they do. This means that they are obliged to protect privacy in any cases that come before them where a privacy issue is raised. Consequently, a person who suspects that a data controller has suffered a security breach stands good prospects of obtaining an order for disclosure of the details from the courts, relying upon the right to privacy. The HRA should fill the gaps left by the DPA; after all, it would be an unfortunate situation if the law protected data at all steps leading up to a security breach, but not afterwards, since it is after a breach that data and individuals need the full protection of the law.

Some suggest that the law should be clarified by Parliament, although clarification at the EU level seems to be more likely as a first step, due to the enhanced appetite of the European Commission and the European Parliament for mandatory breach notification rules . Following proposals for a new directive published by the commission in November 2007, the European Commission, Council and Parliament are now engaged in a debate about the introduction of a formal breach-reporting obligation for the electronic communications sector.

The U.K. government and the Information Commissioner have displayed a lesser appetite for the introduction of formal rules by legislation. Instead, they prefer the law to develop at regulatory level, with the result that the commissioner's rules on the reporting of breaches to his office are now in the ascendance.

The detail of breach notification laws will remain uncertain in the short to medium term, but in the the longer term, the introduction of formal rules by legislation seems to be very likely. Pending the introduction of legislation, data controllers should remain alert to further updating of the law, making necessary adjustments to their security policies as appropriate.

About the author:
Stewart Room, Barrister and Solicitor, is a partner in the Technology Law Group at Field Fisher Waterhouse LLP. He is named as one of the U.K.'s leading data protection lawyers in legal directory Chambers UK and in October 2008 he was awarded the prestigious prize of "Legal Innovator of the Year" by the Financial Times, for his work with major IT companies. He is the president of the National Association of Data Protection Officers and the author of Data Protection and Compliance in Context (December 2006), Email: Law Practice and Compliance (to be published in December 2008) and Data Security Law and Practice (to be published in July 2009). He is a visiting lecturer on information law at various universities.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.