The power of the ICO: Liabilities for a data security breach

The Commissioner's office is entitled, though not obliged, to serve an enforcement notice if it is satisfied that the controller has contravened, or is contravening, the principles of the Data Protection Act. The purpose of an enforcement notice is achieving the controller's compliance with the DPA. If the ICO is satisfied, then it may serve a notice requiring the controller to either take steps or to refrain from taking steps.

However, before serving an enforcement notice, the Information Commissioners' Office must also consider the extent to which the security breach has caused, or is likely to cause, a person damage or distress. If a controller disputes the service of an enforcement notice, he or she can appeal within 28 days to the Information Tribunal. An appeal suspends the operation of the notice. If the controller chooses not to appeal, or appeals are unsuccessful, the notice will crystallise. When a controller breaches the terms of the notice, that person will be liable to criminal prosecution. If the controller is a company, breach of an enforcement notice also exposes the directors and managers of the business to criminal proceedings.

In May 2

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance and regulations Basel II risk management and implementation guide Meet Basel II operational risk, compliance requirements with BS 25777 How to achieve PCI DSS compliance in a midmarket business Preparing enterprise Wi-Fi networks for PCI compliance PCI compensating controls: Loopholes or lifesavers? A preview of PCI virtualization specifications Information security forecast: Security management in 2009 Data breach notification: A legal requirement? Using ISO 27000 to comply with Data Protection Act principles Latest U.K. data security laws get tough on fines, PETs and policies Compliance Regulation and Standard Requirements USB drive security project protects endpoints, aids CoCo compliance Cybercrime attacks, IT outsourcing, mobile malware top ISF threat list The basics of enterprise GRC project management SearchSecurity.co.uk partners with PCI DSS User Group Council boosts compliance efforts with system log management app PCI DSS Q&A: Answering your questions Security budgets take hit in media, tech industry, survey finds Forrester advises cautious approach to cloud computing services NHS imposes USB stick security IAS 6 aims to lock down data from government departments, suppliers Data Protection Solutions and Strategy Sourcefire to ignite new offerings for virtualisation security USB drive security project protects endpoints, aids CoCo compliance How to enforce an enterprise data leak prevention policy Companies underestimate Web 2.0, social networking threat, says survey RSA council addresses growing security risks in the cloud Attackers use ATM malware to steal track data, PINs CSA, Jericho Forum unite on cloud computing security message How to create a data classification policy Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert Organizations struggle with data leakage prevention, rights management

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

008 the Criminal Justice and Immigration Act introduced the Commissioner's power to serve a monetary penalty notice. The ICO expects that it will have issued its first monetary penalty notices by spring 2009, which might be a tad ambitious. Again, the Commissioner's power to serve a monetary penalty notice is a discretionary one, which can only be exercised where there has been a serious breach of the data protection principles that is likely to cause substantial damage or distress, provided that the controller knew there was a risk of such a breach occurring and that those responsible did not take reasonable steps to prevent it.

The data subject is also given statutory remedies by the DPA. Under section 13, victims can sue for compensation if they suffer damage and distress. They can also take legal action to prevent further processing of their data. In big security breach cases, expect to see the emergence of "class actions," which can be brought in the High Court by way of a "group litigation order," which permits similar legal claims to be answered collectively.

While the DPA focuses on the activities of data controllers, data processors are not immune from legal action. Under the Human Rights Act, any data subjects affected by a security breach can sue for compensation for that breach. Furthermore, we have witnessed the recent case of a high-profile data processor having a government contract terminated following the loss of an unencrypted memory stick containing sensitive data about prisoners; the exercise of contractual remedies for security breaches is likely to become more commonplace.

In the financial services sector there have been a number of large, high-profile fines for security breaches, which are issued under the Financial Services and Markets Act 2000, a law governing the provision of financial services in the U.K. The FSMA has four key regulatory objectives, and for the purposes of security breaches, it is the regulatory objective to prevent financial crime that is called into force by the FSA in the event of a security breach in a regulated firm. Breaches of the FSMA have attracted financial penalties for many years now. In light of the overall strategic weaknesses in the financial sector, it is likely that the FSA will continue its high-profile strategy for security breaches in the years ahead.

About the author:
Stewart Room, Barrister and Solicitor, is a partner in the Technology Law Group at Field Fisher Waterhouse LLP. He is named as one of the U.K.'s leading data protection lawyers in legal directory Chambers UK and in October 2008 he was awarded the prestigious prize of "Legal Innovator of the Year" by the Financial Times, for his work with major IT companies. He is the president of the National Association of Data Protection Officers and the author of Data Protection and Compliance in Context (December 2006), Email: Law Practice and Compliance (to be published in December 2008) and Data Security Law and Practice (to be published in July 2009). He is a visiting lecturer on information law at various universities.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.