Charlotte Walker-Osborn, senior associate, Technology Group, Eversheds LLP looks at recent security issues.

In a move demonstrating the seriousness with which the US treats hackers, the US Divisional Court has upheld the District Judge and the Secretary of State's decision to use powers, under the Extradition Act 2003, to extradite a British man to the US to face computer hacking charges.

In 2001 - 2002, Gary McKinnon, acting from his own computer in London, is said to have gained unauthorised access to around 100 computers belonging to, and used by, the US Government. 

Apparently, Mr McKinnon deleted data and copied some files onto his own computers, including some operating systems files containing account names and encrypted passwords. The cost of repair to the US computers was over $700,000. It has been reported that Mr McKinnon will appeal the decision.

Information Commissioner gets tougher on breaches

The Information Commissioner's Office (ICO) has issued a name and shame list of 11 leading financial and other organisations allegedly in breach of the Data Protection Act (DPA).

The action, is a sobering reminder of the need for robust and effective information security measures in order to prevent unauthorised or unlawful processing, accidental loss of or destruction or damage to personal data (the mandatory Eighth Data Protection Principle under the DPA).

The ICO considered these organisations to have breached the security principle by disposing of customer information insecurely.

Breach of data protection principles can lead to notices from the ICO for further information about data processing operations or enforcement notices requiring compliance with the data protection principles.

The ICO may exercise powers of entry, inspection and seizure of documents and equipment. Failure to comply with notices can be a criminal offence but, aside from the legal consequences of breach, there is risk of damage to reputations and loss of customer confidence.
 
Organisations involved have been required to sign formal undertakings to comply with the Data Protection Principles. If they then fail to meet the conditions of the undertaking, further enforcement action and prosecution could result.
 
More worrying for organisations regulated by the Financial Services Authority (FSA) is the further consequence of breaching FSA rules which require firms to operate adequate risk management systems.

The FSA is willing to use enforcement powers against non-compliant organisations, recently issuing a £980,000 fine to a company for inadequate systems and controls to manage information security risks.

This came to light following the theft, in 2006, of a laptop from an employee, which contained confidential customer information. The FSA mentioned in particular the risk of customer information being stolen and consequently the risk of financial crime. 

Given the tough stance being taken in such matters, organisations may want to review their information security procedures to ensure they are compliant. 

This is for general information purposes and not to be relied upon as a detailed legal source.

This article first appeared in the summer 2007 issue of ISNow.