ZDNet UK

• CNET NETWORKS UK BUSINESS SITES:
• atlarge.com
• BNET UK
• silicon.com
• SmartPlanet.com
• ZDNet.co.uk

How to avoid liability for a data breach

• Tags:
• Loss,
• Third Party,
• Guidance,
• Controller

Sally Whittle ZDNet.co.uk

Published: 31 Mar 2008 15:33 BST

...data cannot be copied or shared; in some cases, it may be possible to use software to prevent such actions. "You could also flag up to people that, if they pass on information, they could be criminally liable," said Egan.

Training is vital to ensure that employees don't put client data at risk, even accidentally, said Titterington: "Most data breaches come from bad staff decisions and usually they are accidental." For example, a common trick of thieves is to contact a call centre pretending to be someone else and browbeat the agent into revealing confidential account information. "That sort of social engineering can easily be addressed with good training," he said.

In terms of technological measures to protect client data, most of the systems should already be in place, Titterington said. Up-to-date, effective antivirus and intrusion-detection software, together with network monitoring and clear acceptable-use policies can go a long way towards protecting sensitive information. "You should probably also look at locking down information by restricting what can be downloaded or removed via mobile devices," he added. "And check potential weak spots; it's very easy for information to be attacked through internet-connected applications using something like an SQL injection."

Arrowsmith advised also rolling out other security systems to ensure that users are protecting their computers with strong passwords that are regularly changed; making sure that information is encrypted at every stage; making certain unused terminals are locked; and employing software to back up data and monitor all network activity. "Employees should be absolutely clear what the policy is and how it is enforced," said Arrowsmith.

If a data breach does occur, the ICO does not itself have the power to bring prosecutions, but individuals who suffer loss because of the breach may have a case to bring, said Eldin Rammell, managing director of Rammell Consulting, a consulting firm specialising in information management.

Read this

Corporate espionage: Not if, but when

When it comes to business-to-business theft of information, experts agree — it's best to assume it will happen to your company

Read more

"If someone could prove there had been a loss which could be directly attributed to the data leak and that the data controller was negligent in not preventing the leak, there could be a civil case for damages," said Rammell. "But, if the data controller had robust procedures in place to prevent data loss and the breach was down to a fraudulent employee, it would be difficult to prove that the employer was negligent. If there were no such procedures, a case would be easier to prosecute."

Other legal issues around data breaches include a potential breach of confidentiality, an infringement of copyright and a breach of any number of contractual or regulatory requirements, said Arrowsmith. "As well as a statutory right to claim, there may well be an opportunity for an individual to claim for damages for a breach of contract, confidentiality or copyright, all of which could lead to a cash payment, the size of which would depend on the nature of the loss that customer has suffered. For a small business, obviously this could be catastrophic."

Even the best policies and technologies can't protect you against every eventuality, and that's where a good insurance policy can come in useful, said Arrowsmith. But it's worth remembering that insurers will only pay out if you can show that you have the best possible policies and systems in place to minimise the risks your business faces.

Tips for protecting customer data

1. Appoint someone in the company to be responsible for all data-protection and security issues, whether it's HR or customer data
2. Go to the ICO website and read the good practice notes, which are particularly helpful for SMEs
3. Check whether you need to register with the information commissioner
4. Remember that, if you are doing something with data on behalf of someone else who controls the data, then your legal position will depend on what it says in the contract. The flip side of this is that, if you outsource any activity so that others are processing data on your behalf, as the original data controller you are still responsible to the ultimate subject of that data 
5. Make sure your data is safely gathered and stored. Old data should be reviewed and deleted where appropriate
6. Make sure staff are trained and understand that unauthorised disclosure of data is an offence
7. Be careful if your business extends outside the EU. There are different rules on data security abroad and your responsibility to disclose data leaks will be different in, for example, the US

• The top five internal security threats
• Keeping mobile data from going walkabout
• Lib Dems call for data guardians
• Worker suspended over loss of prisoner data
• Ministry of Justice reports nine data breaches
• Foreign Office reports five data breaches since 2007
• ICO: Gov't ignoring data-sharing hazards
• Lords presses government for data-breach law
• Experts urge criminal charges for data breaches
• Justice minister urges overhaul of gov't data handling
• MoD announces data-protection action plan
• Systemic failure blamed for HMRC data loss

Did you find this article useful?
3 out of 3 people found this useful

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

Post a comment

Full Talkback thread

1 comment

1. How to avoid liability for a data breach ...... Moley