Data Prtectin: Regulating Cyber Security Jnathan Bamfrd Head f Strategic Liaisn
Hw des DP regulatin affect cyber security? Data Prtectin Act 1998: apprpriate security Privacy and Electrnic Cmmunicatin Regulatins 2003: persnal data breach ntificatin ICO regulatry pwers: enfrcement actin and mnetary penalties Increased internatinal regulatry cperatin: Glbal crss brder enfrcement cperatin Prpsed EU data prtectin regulatin: Strengthened prvisins, tugher sanctins
Security breaches and the DPA Data cntrllers security bligatin - principle 7 f the DPA Apprpriate technical and rganisatin measures Apprpriate =nature f data, likely harm, technlgy and csts Against unauthrised/unlawful prcessing f and accidental lss f/destructin t persnal data Schedule 1, Part II interpretatin f that principle: Data prcessr selectin, cntracts and checks Emplyee measures Breach = failure t meet that standard
Breach reprting under the DPA The law N mandatry breach reprting under the DPA, as currently enacted Sme bdies (NHS, Central Gvernment) have instituted their wn requirements ICO apprach Vluntary self reprting f breaches apprpriate in sme circumstances Relevant factrs? See guidance n handling security breaches fr mre infrmatin Enfrcement actin where triggers in Regulatry Actin Plicy met
Breach reprting under the DPA ICO apprach cnt. Ntifying affected data subjects? N strict legal bligatin Assess the pssible effects f the breach Website resurces: Guidance n security breach management Security breach ntificatin frm Guidance n security requirements Recent blg n encryptin After a breach? Review the circumstances f the breach Assess any nging risk Identify and implement any changes required Cascade any internal messages
A persnal data breach under the PECR Regulatin 5A f the amended PECR 2003 Defined as: A breach f security leading t the accidental r unlawful destructin, lss, alteratin, unauthrised disclsure f, r access t, persnal data transmitted, stred r therwise prtected in cnnectin with the prvisin f a public electrnic cmmunicatins service Obligatin applies t service prviders nly
Reprting persnal data breaches under the PECR Service prvider: prvider f public cmmunicatins services see s.151 f the Cmmunicatins Act 2003 What the law requires Service prviders must: initially ntify the ICO f any persnal data breach within 24 hurs prvide any additinal infrmatin in three days ntify individuals f breaches that may adversely affect them withut undue delay keep a lg f any breaches Guidance published n ur website with full details.
Persnal data breach reprting under the PECR : the detail Secure electrnic means prvided via ICO website fr breach reprting What must be reprted: T the ICO? T adversely affected individuals? Cnsequences f failure t cmply with reprting bligatin: 1,000 MPN fr failure t reprt Ptential fr enfrcement actin in respect f any ther issues identified in curse f investigatin
Persnal data breach lg keeping under the PECR: the detail Regulatin 5A(8) f the PECR requires service prviders t keep a lg f all data security breaches cmprising: the facts surrunding the breach the effects f the breach remedial actin taken Many service prviders have been ding this since 2011 [althugh the prcess has nw been updated] Template lg available n the PECR pages f ur website Lg t be prvided mnthly t the ICO even where n breaches reprted ( nil return )
ICO Enfrcement ptins Prsecutins fr unlawful btaining/disclsure etc Enfrcement Ntices Undertakings Assessment Ntices (audits) Impse a civil mnetary penalty f up t 500k
Security breaches: examples f penalties Kent Plice 100K British Pregnancy Advisry Service 200K Ministry f Justice 140K Bank f Sctland 75K Sny Cmputer Entertainment 250K
Lessns learned Theft/lss f prtable media reduced but still significant Retentin/lack f weeding a prblem T many repeated incidents Pr cmmunicatins/training/awareness a frequent factr Plicies/prcedures nt related t jbs Security must be updated
Lessns learned Prfessinal staff think they are immune Need t mnitr cntractrs/prcessrs Fcus n IT security at expense f physical security Security imprvements d nt have t be expensive Mvers and leavers prcedures lacking/nt implemented Rm fr imprvement in gvernance
Greater regulatry reach? CJEU Ggle Spain case: Addressed prcessing carried ut in the cntext f activities f an establishment Internatinal Data Prtectin and Privacy Cmmissiners: Reslutin n enfrcement cperatin Glbal Crss Brder Enfrcement Cperatin Arrangement
Prpsed EU regulatin raises the bar
The future f breach reprting? Emphasis n cmpliance prcesses, paperwrk and delegated legislatin Draft regulatin includes: Reprting t ICO within 24 hurs Data prcessr required t reprt breaches immediately t data cntrller Detailed specificatin f breach ntificatin infrmatin Obligatin t ntify individuals where pssible adverse effect Penalties f up t 1m r 2% wrldwide turnver
ICO apprach t prpsals ICO views? Supprt risk-based breach ntificatin: t ICO t data subjects (ptentially adversely affected) Supprt ther measures t imprve risk management, subject t apprpriate threshlds and flexibility: PIAs and PbyD Minimisatin f delegated legislatin Harmnisatin between DPA and PECR breach ntificatin bligatins
What stage are we at? Event Eurpean Parliament LIBE reprt adptin Prgress Cmpleted Full Eurpean Parliament adptin April 2014 Cuncil psitin In prgress-2015 Trilgue Cmmissin / Parliament / 2015? Cuncil Adptin f EU data prtectin package 2015/16? Entry int frce in the UK? 2017/18?
Preparing fr security breaches Have clear prcedures in place and plicies t review them Define respnsibilities: Fr reviewing prcedures Fr reprting breaches Senir accuntability fr cmpliance Training f staff, availability f apprpriate materials Recrds management particularly retentin and data minimisatin The rle f PIAs and PbyD ICO resurces
Data Prtectin: Regulating Cyber Security Can t be left t chance Can t be cmplacent Can t rely n inadequate sanctins t minimise impact Can help avid r minimise regulatry sanctins Can be gd fr business and reputatin Can be gd fr cnsumer trust and cnfidence
Keep in tuch Subscribe t ur e-newsletter at www.ic.rg.uk r find us n /icnews @icnews