The risks to businesses of being involved in a data loss incident are high. Criminal sanctions under the Data Protection Act are well established, but other regulators like the Financial Services Authority (FSA) are also willing to flex their enforcement muscles. In the last three years, the FSA has levied substantial fines against several of its members for security breaches.
Bad publicity is another potentially lethal sanction. A recent study by Ponemon showed that 31 per cent of respondents terminated their relationship with an organisation on receiving notification of a breach of data security.
Finally, where third party suppliers are dealing with data, security breaches can lead to termination of their contract and liability for losses incurred.
Mitigating legal risk
Arrangements under which third party suppliers handle customer data should provide for clear lines of responsibility. It is ultimately the data controller's responsibility to ensure that its suppliers treat data carefully, but the supplier will also require their assistance to minimise damage if a breach should occur.
The services contract should:
- clearly spell out each party's responsibilities - security measures should be specific and clearly identified (i.e. within a security schedule) and should be achievable;
- set out some basic controls in the event of a data loss or breach - the parties should co-operate to prevent further damage;
- have indemnity and termination provisions, which specifically address the issue and the consequences of data loss on the supplier's part; and
- very importantly, contain specific provisions for press statements to be mutually agreed so that neither party can depict the other as the scapegoat.
Practical steps
All businesses should have robust data security measures. In particular: human and operational controls - to ensure effective training for all staff who handle the customer data so staff clearly understand what their responsibilities are. Technical measures, which must be robust and backed up by an audit trail to demonstrate that they are tested and effective for the specific data and contractual requirements.
Reputational damage
Instant and intense media scrutiny can be expected in the event of data loss so businesses should plan in advance how the situation will be handled. You will need to establish the exact facts very quickly and present a coherent explanation showing that you are in control. If there is doubt as to what has happened, you are entitled to prevent the media pointing the finger until the facts are clear.
Be careful about blaming a third party - check whether you are contractually entitled to do so and consider the risk should you be wrong.
If it is clearly your fault, a prompt public apology combined with a clear explanation as to how you will mitigate any damage caused may be the most effective way of defusing the situation. Whilst writing, I should mention the long-awaited changes to the Computer Misuse Act have finally come into force.
© Copyright 2008 Eversheds
Please note that the information provided above is for general information purposes only and should not be relied upon as a detailed legal source.