The power of the ICO: Liabilities for a data security breach

The Commissioner's office is entitled, though not obliged, to serve an enforcement n...

RELATED CONTENT Compliance and regulations Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits Tips to achieve PCI compliance How to choose an external compliance auditor Using a privacy impact assessment template for DPA compliance PCI DSS checklist: Mistakes and problem areas to avoid The elements of a compliance-oriented architecture Wireless network guidelines for PCI DSS compliance PCI DSS requirement: Implement strong access control procedures How to choose full disk encryption for laptop security, compliance Compliance Regulation and Standard Requirements PCI DSS requirements still baffling as compliance deadline approaches Make PCI DSS compliance easier by reducing scope, outsourcing data Cloud computing compliance: Exploring data security in the cloud Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny Tips to achieve PCI compliance PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) Code of Connection (CoCo)  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) IFRS (International Financial Reporting Standards)  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

otice if it is satisfied that the controller has contravened, or is contravening, the principles of the Data Protection Act. The purpose of an enforcement notice is achieving the controller's compliance with the DPA. If the ICO is satisfied, then it may serve a notice requiring the controller to either take steps or to refrain from taking steps.

However, before serving an enforcement notice, the Information Commissioners' Office must also consider the extent to which the security breach has caused, or is likely to cause, a person damage or distress. If a controller disputes the service of an enforcement notice, he or she can appeal within 28 days to the Information Tribunal. An appeal suspends the operation of the notice. If the controller chooses not to appeal, or appeals are unsuccessful, the notice will crystallise. When a controller breaches the terms of the notice, that person will be liable to criminal prosecution. If the controller is a company, breach of an enforcement notice also exposes the directors and managers of the business to criminal proceedings.

In May 2008 the Criminal Justice and Immigration Act introduced the Commissioner's power to serve a monetary penalty notice. The ICO expects that it will have issued its first monetary penalty notices by spring 2009, which might be a tad ambitious. Again, the Commissioner's power to serve a monetary penalty notice is a discretionary one, which can only be exercised where there has been a serious breach of the data protection principles that is likely to cause substantial damage or distress, provided that the controller knew there was a risk of such a breach occurring and that those responsible did not take reasonable steps to prevent it.

The data subject is also given statutory remedies by the DPA. Under section 13, victims can sue for compensation if they suffer damage and distress. They can also take legal action to prevent further processing of their data. In big security breach cases, expect to see the emergence of "class actions," which can be brought in the High Court by way of a "group litigation order," which permits similar legal claims to be answered collectively.

While the DPA focuses on the activities of data controllers, data processors are not immune from legal action. Under the Human Rights Act, any data subjects affected by a security breach can sue for compensation for that breach. Furthermore, we have witnessed the recent case of a high-profile data processor having a government contract terminated following the loss of an unencrypted memory stick containing sensitive data about prisoners; the exercise of contractual remedies for security breaches is likely to become more commonplace.

In the financial services sector there have been a number of large, high-profile fines for security breaches, which are issued under the Financial Services and Markets Act 2000, a law governing the provision of financial services in the U.K. The FSMA has four key regulatory objectives, and for the purposes of security breaches, it is the regulatory objective to prevent financial crime that is called into force by the FSA in the event of a security breach in a regulated firm. Breaches of the FSMA have attracted financial penalties for many years now. In light of the overall strategic weaknesses in the financial sector, it is likely that the FSA will continue its high-profile strategy for security breaches in the years ahead.

About the author:
Stewart Room, Barrister and Solicitor, is a partner in the Technology Law Group at Field Fisher Waterhouse LLP. He is named as one of the U.K.'s leading data protection lawyers in legal directory Chambers UK and in October 2008 he was awarded the prestigious prize of "Legal Innovator of the Year" by the Financial Times, for his work with major IT companies. He is the president of the National Association of Data Protection Officers and the author of Data Protection and Compliance in Context (December 2006), Email: Law Practice and Compliance (to be published in December 2008) and Data Security Law and Practice (to be published in July 2009). He is a visiting lecturer on information law at various universities.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.