The data security compliance stakes for organizations seem to have increased as a result of recent developments in the United Kingdom.
To some privacy law practitioners in the United States, the approach to regulation of privacy and data security in the United Kingdomcan sometimes seem like a triumph of form over substance. While extensive data protection laws are in place, the risk of regulatory sanctionfor breach of legal obligations can often appear to be more theoretical than practical.
Developments in the last six months may now perhaps change the attitude of a number of legal professionals, at least when it comes to matters of data security. In particular, advisers to the UK financial services industry should be aware of a more activist stance being adopted by the relevant regulators. Two recent decisions, one by the UK Financial Services Authority (“FSA”) the body in charge of supervising the UK
banking, insurance and financial industry, and another from the UK privacy regulator, the Information Commissioner, seem to raise the compliance stakes for organizations.
Common law duty
Arguably, issues of informational security (at least in relation to customers) are nothing particularly new. Under English Law, banks have long held a common law duty to keep their customers’ affairs secret. Although the duty has been subject to a number of exceptions developed by the courts over the years (1) and further curtailment under anti-terrorism legislation, the general principle applies that all information which a bank has about the customer should be held on a confidential basis (unless the customer decides to waive the right). In the event that the bank breaches such a duty a customer may sue for damages after disclosure or apply for an injunction to restrain disclosure or further disclosure of such confidential information. (2)
Common law duties of secrecy have been augmented by more specific legislative developments in the UK over the past 20 years, as computerized storage of customer records becomes commonplace. Primarily, the European Community’s Data Protection Directive 1995 (3) effectively introduced a number of obligations on European based corporations and other entities (including financial services organizations) to protect and secure personal data relating to living individuals. The Directive (as transposed into the United Kingdom by the Data Protection Act 1998 (“DPA”)) governs the “processing” of personal data. Almost any operation carried out in regards to those data, such as collection and storage, organization, retrieval, internal or external transfer, selling data to a third party and destruction or disposal of data, will be covered.
The DPA distinguishes between a “data controller,” meaning the organization which (alone or jointly) has the ultimate authority to determine what processing is carried out in relation to that data and a “data processor,” being the organization that may be engaged to carry out certain processing operations on that personal data on the instructions of data controller, such as an ASP or other outsourced service provider. The distinction’s importance lies in the fact that the DPA obligations only apply to a data controller. It is the data controller who is usually required to file an annual notification or registration with the Information Commissioner and may be liable in damages to individuals for failure to comply with its legal obligations.
Eight data protection "principles"
The DPA is centered around eight data protection “principles.” These are the general legal standards which organizations (with only a few limited exceptions) must observe when processing personal information in the UK. Of particular relevance in the context of information security is the seventh principle. This states that: “Appropriate technical and organizational measures shall be taken against unauthorized and unlawful processing of personal data and against accidental loss or destruction of or damage to, personal data.” (4)
The implication of this principle is twofold. First, enterprises should take appropriate technical security measures to ensure that personal data is protected to the appropriate level (this includes measures taken in relation to system administration, applying suitable encryption to sensitive data transferred over a network and also ensuring that appropriate business continuity planning is put in place). The second aspect is that those data controller organizations affected should have implemented corporate policies and practices to guard against potential security breaches. This will include ensuring the reliability of employees who may be tasked with handling and accessing customer data and putting appropriate training programs in place to promote awareness of data security procedures. Physical security, such as restricting access to buildings or facilities where customer data is stored will also be relevant.
Another consequence stems from the fact that, as mentioned above, data processors are not subject to the DPA’s security obligations directly. Accordingly, a data controller is required to ensure that any service provider it appoints to process personal data on its behalf provides “sufficient guarantees” that it will meet the same security obligations as those reflected in the seventh principle. The security obligations must also be set out in a written contract between the controller and service provider (and the data controller must make a statement to this effect in its UK data protection notification). Security measures will also be relevant where personal data collected or processed in the UK is transferred to overseas territories outside the member states of the European Economic Area.
The DPA’s eighth principle prohibits such data transfers to the United States or other “non-approved” jurisdictions (5) for example, without adequate data protection safeguards being put in place to cover processing by the overseas recipient of those data. Accordingly, the DPA security requirements will be relevant to US-based organizations receiving personal data from the UK (6).
Costs of implementation
In assessing what security measures to adopt, organizations should have regard to the “state of technological development” and “cost of implementing any measures.” The level of security can be appropriate to the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of data to be protected. It is axiomatic that the level of security required for a basic name and telephone number is likely to be less than sensitive information about
individual credit status or any other information that could compromise the customer’s account security. Guidance issued by the Information Commissioner indicates that adoption of recognized information security standards such as BS7799 (the UK equivalent of ISO 27001) is indicative that an organization is achieving “best-practice” in meeting its data security obligations under the DPA. At the same time, many organizations are more focused on cost-efficient legal compliance rather than best practice and this has meant that adoption of these standards (as a means of achieving DPA compliance) has been relatively rare. As well as actual security obligations only being pitched at a broad level in the legislation, a lack of any definitive rulings by the UK courts or regulators has meant that in some compliance departments data security has been relatively low down the priority list.
UK Information Commission action
In March 2007 however, the Information Commissioner, in what has been one of its most high profile investigations affecting the UK private sector so far, issued a public statement naming and shaming eleven UK commercial banks and other financial sector businesses (as well as the UK Post Office and Immigration Advisory Service) for an “unacceptable” breach of their DPA information security obligations.
The regulator’s investigation was initiated by press reports that confidential customer information had been found in waste bins at the back of various commercial premises across a number of towns and cities. (The case also perhaps echoes the publicity that surrounded discovery of confidential legal documents recovered from the bins outside an English Barristers’ Chambers some years previously. (7))
Although details of specific legal infringements are noticeably absent from the Information Commissioner’s Press Release, (8) his public reprimand was accompanied by the publication of various undertakings signed by senior executives of the businesses concerned. (9) These set out various assurances that data protection procedures would be updated, training given to employees and various steps taken to ensure confidentiality of customer documentation disposed of outside branches.
The publication of undertakings is an interesting development in the UK enforcement regime. It seem to indicate a more creative approach by the Commissioner, perhaps to combat or even highlight perceived shortcomings in current legislative sanctions under the DPA. There is no statutory basis for such action and it remains unclear what the legal consequences would be for any further breaches of the covenants given. That
said, the DPA’s statutory enforcement route is protracted and clearly continues
to be a source of frustration for the current Commissioner, Richard Thomas (10). In practice, the Commissioner will usually investigate any alleged breach and the organization concerned given at least one opportunity to make representations (and further representations) or rectify the alleged infringements. Only if the infringement has not been dealt with would the Commissioner serve a formal enforcement notice and ultimately if no effort is made to comply with the notice, would an organization
be liable to criminal prosecution. Not surprisingly, criminal actions under the DPA have been few and far between and only in relation to the most flagrant of breaches.
At the time of writing, further investigations were being taken in light of new security breaches alleged against one of the named banks (Halifax Bank of Scotland), although even if breach of its undertakings can be established, a further reprimand seems to be the most likely outcome if the Information Commissioner decides to take further action.
The financial services authority action
Of particular relevance to the financial services industry in the UK and perhaps of more immediate concern to sector compliance teams was an almost contemporaneous decision of the UK Financial Services Authority. Using powers under the Financial Services and Markets Act 2000, the FSA imposed a financial penalty on Nationwide Building Society for inadequate data security in breach of its obligations under the
FSA Handbook (the primary source of UK financial regulation). The statutory penalty of £980,000 (UK sterling) is the largest ever for a security breach of this nature in the United Kingdom and has undoubtedly raised eyebrows across the London financial markets.
According to the FSA, Nationwide had infringed the FSA Handbook’s Principles for Business — the fundamental obligations of all firms covered the UK regulatory system — by failing to take reasonable care to organize its systems and controls to effectively manage information security risks.
The decision followed official investigation of events surrounding theft of a laptop from a Nationwide employee’s home at the end of 2006. Apparently the stolen computer contained details of around 13 million account holders of the Building Society. Although this data did not apparently include corresponding passwords or access codes which the Building Society as a matter of practice stores separately from other customer information, and no customer losses have been suffered, the UK regulator still ruled that inadequate security would expose customers to an “unacceptable” risk of financial crime (a broadly similar allegation to that made by the Information Commissioner in its recent decision).
At this point, it is also worth noting that unlike some US states, in the UK there is currently no positive statutory requirement on an organization to either notify a relevant regulator or customer of any actual security breach — indeed, it seems that at the time of the initial investigation, a decision was taken by Nationwide in conjunction with the investigating authorities to keep the potential security breach away from the glare of
publicity in case the those responsible for the theft were alerted the potential value of the laptop data.
The background to the ruling and reasoning given by the FSA for its decision is especially worth considering. In particular, the case highlights the potential risks for authorised UK financial services businesses even where the firm or organization in question has implemented what it thinks are comprehensive and up-to-date security policies and procedures. In this instance, Nationwide clearly adopted a number of security measures in light of previous industry guidance issued by the FSA in November 2004. However, according to the regulator, it had still failed to adequately assess actual security risks, take sufficient care to ensure that it communicated those risks to staff or implement an effective risk management process. Of particular concern to the FSA were the following:
1. Information security procedure
Nationwide’s procedures were found to be set out in an “unwieldy electronic format” available over a corporate intranet and not housed in a single document. The FSA also alleged that the policy’s structure did not enable Nationwide’s staff to easily identify or search for particular parts that applied to them. In addition, the FSA noted inconsistencies and failure of the policy to prioritize critical issues over other less important matters or distinguish between requirements that were mandatory and those that were guidelines on best practice.
2. Staff awareness and training
Although its employees were required to annually sign a self-certification form that they had read and understood Nationwide’s policies and procedures and staff received regular security training, the FSA ruled such procedures as inadequate as they were not sufficiently job specific.
This is point worth noting by organizations that currently require employees to sign up to policies on an annual basis, assuming that these steps alone are sufficient to comply with regulatory requirements.
3. Systems and controls
The FSA also ruled that Nationwide had failed to establish sufficient controls to ensure that staff actually understood and followed security procedures in their day-to-day job. Such controls in the FSA’s eyes included physical and electronic barriers to downloading of information (e.g. firewalls and security software) which would prevent information being downloaded onto portable electronic storage devices or allow
Nationwide’s IT/IS staff to monitor activity in that regard.
4. Investigation and incident management
Although theft of the computer was reported to Nationwide immediately after it had happened, the particular employee at the centre of the theft did not indicate that sensitive customer data had been stored on a laptop at the time. Nationwide was criticized for failing to follow up and investigate what information had been on the laptop. The extent of the loss lay undiscovered for three weeks after the theft (as the employee had gone on vacation shortly after the incident). According to the FSA, Nationwide had inadequate incident management procedures in place to deal with situations of this type. Failure to put investigation processes in place had inhibited
Nationwide’s ability to respond properly to the theft and increase the opportunity
for information to be used for financial crime.
As a result of the FSA’s and Information Commissioner’s decisions, a number of regulated financial organizations, especially those dealing with large volumes of sensitive customer information, have been reviewing internal security procedures. It is quite clear from the FSA’s ruling that not only do processes need to be sufficient to deal with actual risks specific to that institution and the data it handles, but any policies or procedures put in place should be communicated in a form capable of being understood and followed by staff at all levels. Post-incident management procedures also need to be sufficiently robust to deal with breaches when they happen. The FSA was particularly concerned with the speed of Nationwide’s response in investigating and establishing the scope and extent of the data stolen.
As in other countries, advances in data storage and low cost portable technology have made it easy for staff (and permanent or temporary contractors) working on site or through remote access, to download vast amounts of sensitive information. In many cases this may be unencrypted and lacking the most basic password protection. Laptops represent one particular issue. However the proliferation of MP3 players, USB drives, and smart phones in the UK business environment has magnified the
possible areas of operational risk within organizations. Intentional criminal activity is not the major issue either. A recent survey of London taxi drivers for example indicates that a significant number of mobile phones, laptops, and USB memory devices are being left in the back of taxicabs by their owners and remain unclaimed. (11)
The Nationwide scenario is perhaps also a reminder to organizations that data security is not an issue to be left to the IT department. Here, a seemingly commonplace incident for an employee working out of the office has developed into a time consuming internal legal headache for the senior management. The FSA views its decision of sending a “clear strong message to all firms about the importance of information security” and the amount of the fine, reduced to £980,000 UK Sterling from £1.4 million UK Sterling, due to Nationwide’s agreement to an early settlement should certainly have helped in achieving that objective. Even the best-intentioned financial services organization may be at risk. Simply drafting an information security policy without also fully considering its affective implementation management or application going forward is a potentially costly strategy in the longer term.
1) See, e.g., Tournier v. National Provincial and Union Bank of England  1 KB 461.
2)See Jackson v. Royal Bank of Scotland 2005 UKHL3 relating to the damages that a customer could claim for disclosure of confidential information and how these were assessed.
3) Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and free movement of such data.
4) Data Protection Act 1998, Schedule 1.
5) Currently only Federal Canada, Switzerland, Guernsey, Isle of Man, and Argentina have formal approval from the EU Commission in relation to data transfers.
6) Transfers from other parts of Europe will be similarly affected as other EU member states have implemented similar provisions into their national laws.
7) See, e.g., the article in the Sunday Times 13 March 2005 “Secrets of a Fleet Street Rubbish Man.” Benjamin Pell seized details of Sir Elton John’s spending accounts and evidence prepared for leading court cases claiming he made up to £250,000 in a single year by selling information in trash cans found onto the press and publicity industry.
8) See http://www.ico.gov.uk press release Tuesday 13 March 2007.
9) See Information Commissioners Web site at http://www.ico.gov.uk.
10) See, e.g., the report in the Guardian, 1 May 2007. Indeed, the Commissioner also notes its view in the recent press release that it believes that organizations in breach of security obligations “should face detailed inspection of their security procedures.”
11) See “London top place for leaving laptops in cabs” IP Pro 28th November 2006.
Kenneth Mullen is a partner specialising in Media and Technology with UK law firm,
Shepherd and Wedderburn.
020 7429 4910