Security breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison

Security breaches: A regulatory overview Jonathan Bamford Head of Strategic Liaison

Security breaches and the DPA Data controllers security obligation - principle 7 of the DPA o Appropriate technical and organisation measures o Appropriate =nature of data, likely harm, technology and costs o Against unauthorised/unlawful processing of and accidental loss of/destruction to personal data Schedule 1, Part II interpretation of that principle: o Data processor selection, contracts and checks o Employee measures Breach = failure to meet that standard

Breach reporting under the DPA The law No mandatory breach reporting under the DPA, as currently enacted Some bodies (NHS, Central Government) have instituted their own requirements ICO approach Voluntary self reporting of breaches appropriate in some circumstances o Relevant factors? o See guidance on handling security breaches for more information Enforcement action where triggers in Regulatory Action Policy met

Breach reporting under the DPA ICO approach cont. Notifying affected data subjects? o No strict legal obligation o Assess the possible effects of the breach Website resources: o Guidance on security breach management o Security breach notification form o Guidance on security requirements o Recent blog on encryption and security lessons learned After a breach? Review the circumstances of the breach Assess any ongoing risk Identify and implement any changes required Cascade any internal messages

A personal data breach under the PECR Regulation 5A of the amended PECR 2003 Defined as: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise protected in connection with the provision of a public electronic communications service Obligation applies to service providers only

Reporting personal data breaches under the PECR Service provider: provider of public communications services see s.151 of the Communications Act 2003 What the law requires Service providers must: initially notify the ICO of any personal data breach within 24 hours provide any additional information in three days notify individuals of breaches that may adversely affect them without undue delay keep a log of any breaches Guidance published on our website with full details.

Personal data breach reporting under the PECR : the detail Secure electronic means provided via ICO website for breach reporting What must be reported: o To the ICO? o To adversely affected individuals? Consequences of failure to comply with reporting obligation: o 1,000 MPN for failure to report o Potential for enforcement action in respect of any other issues identified in course of investigation

Personal data breach log keeping under the PECR: the detail Regulation 5A(8) of the PECR requires service providers to keep a log of all data security breaches comprising: o the facts surrounding the breach o the effects of the breach o remedial action taken Many service providers have been doing this since 2011 Template log available on the PECR pages of our website Log to be provided monthly to the ICO even where no breaches reported ( nil return ) The dual reporting issue RIPA code and IOCCO

ICO Enforcement options Prosecutions for unlawful obtaining/disclosure etc Enforcement Notices Undertakings Assessment Notices (audits) Impose a civil monetary penalty of up to 500k

Security breaches: examples of penalties Kent Police 100K British Pregnancy Advisory Service 200K Ministry of Justice 140K Kwik Fix Plumbers 90k Parklife Festival 70k Bank of Scotland 75K Sony Computer Entertainment 250K

ICO published figures per quarter

Lessons learned Theft/loss of portable media reduced but still significant Retention/lack of weeding a problem Too many repeated incidents Poor communications/training/awareness a frequent factor Policies/procedures not related to jobs Security must be updated

Lessons learned Professional staff think they are immune Need to monitor contractors/processors Focus on IT security at expense of physical security Security improvements do not have to be expensive Movers and leavers procedures lacking/not implemented Room for improvement in governance

More ICO advice on security

Eight common failings 1. Not keeping software security up to date 2. SQL injection 3. Running unnecessary services 4. Poor decommissioning 5. Insecure storage of passwords 6. Failure to encrypt online communications 7. Processing data in inappropriate areas 8. Default credentials including passwords

Proposed EU regulation raises the bar

The future of breach reporting? Emphasis on compliance processes, paperwork and delegated legislation Draft regulation includes: o Reporting to ICO within 24 hours o Data processor required to report breaches immediately to data controller o Detailed specification of breach notification information o Obligation to notify individuals where possible adverse effect o Penalties of up to 1m or 2% worldwide turnover

ICO approach to proposals ICO views? Support risk-based breach notification: o to ICO o to data subjects (potentially adversely affected) Support other measures to improve risk management, subject to appropriate thresholds and flexibility: o PIAs and PbyD Minimisation of delegated legislation Harmonisation between DPA and PECR breach notification obligations

Preparing for security breaches Have clear procedures in place and policies to review them Define responsibilities: For reviewing procedures For reporting breaches Senior accountability for compliance Training of staff, availability of appropriate materials Records management particularly retention and data minimisation The role of PIAs and PbyD ICO resources Cyber insurance?

Keep in touch Subscribe to our e-newsletter at www.ico.org.uk or find us on /iconews @iconews