News this week of tough sanctions against Zurich Insurance and Yorkshire Building Society for serious data security breaches has highlighted the need for organisations to take data loss seriously or face harsh penalties, adverse publicity and grave public scrutiny, warns a Nottingham data protection lawyer, Karen Harrison.
Karen, a director at Nelsons’ Commerce & Technology team says: “The UK operation of Zurich has been fined £2.27m by the Financial Services Authority (FSA) for losing personal details of 46,000 customers, which is the highest fine levied on a single firm for data security failings. The size of fine sends a clear signal that the authorities will crack down hard on data loss and that organisations should be clear of their obligations under the Data Protection Act 1998 (DPA).
“When entering into outsourcing arrangements involving the transfer of personal data, the DPA requires that businesses put in place written contracts with their outsourcers. Under the DPA, legal responsibility rests with the business transferring the data for any data loss that takes place as part of the outsourcing. Transborder transfers of data outside of the EEA are subject to particularly strict rules under the DPA and expert advice should be taken on such contracts.
“Prior to entering into the contract, the business should undertake a risk impact assessment with regard to the data being transferred, and examine the outsourcer's policies and procedures for ensuring compliance with the DPA. Once the contract is in place, the business must also audit the outsourcer's ongoing compliance with the data protection obligations in the contract, something that clearly did not happen in the Zurich case.”
According to Karen, businesses are also advised to negotiate robust DPA warranties and indemnities so that if there is an issue, they can pursue the outsourcer under the contract.
Yesterday also saw the Yorkshire Building Society admit thousands of customers were exposed to potential loss when a laptop computer was stolen in April this year. Some years ago, the Information Commissioner's office (ICO) issued Guidance that requires businesses to encrypt personal data on mobile devices. Karen comments: “The existing published Guidance indicates that the ICO will take a pretty dim view of businesses that are found in breach and be more likely to exercise their power to fine in such situations.
“In the Yorkshire Building Society case, not only was the laptop unencrypted but the passwords were in the same bag as the laptop. There were several unsuccessful attempts by a third party to access the data, which could have resulted in identity theft. The case emphasises the need to train employees to be aware of and comply with the business’s DPA policies. It’s also interesting because the ICO rather than the FSA investigated the breach and the Yorkshire has been forced to give a published undertaking to the ICO to correct its policies and procedures.”
From April 2010, the Information Commissioner’s Office (ICO) was given new powers to fine organisations up to £500,000 for serious breaches of the DPA.
Primarily designed to deter personal data security breaches and promote greater compliance with the DPA, the new powers allow the ICO to impose monetary penalty sanctions for the most serious cases where organisations deliberately breach the law, are negligent or fail to take reasonable steps to prevent breaches. In particular, organisations who fail to report data security breaches will face tougher action by the privacy watchdog.
According to Karen, the ICO will impose a monetary penalty if it is satisfied that there has been a serious contravention of the data protection principles, and that the contravention was of a kind likely to cause substantial distress or damage. She continues: “Factors which make the imposition of a monetary penalty more likely are:
- the seriousness of the contravention;
- the nature of the personal data involved;
- the duration and extent of the contravention;
- the number of individuals affected;
- if the damage is financially quantifiable;
- if the organisation failed to carry out any risk assessment; and
- if the contravention was deliberate or premeditated.
“Equally, if the data controller was aware of and did not follow relevant guidance published by the ICO, or if there was a similar series of contraventions and the data controller did not take steps to rectify the cause, the organisation is more likely to face a monetary penalty”.
“The ICO will, however, take a proportionate approach to issuing an organisation with a penalty or enforcement notice. Financial resources, sector, size and the severity of the data breach will all be factors taken in account in order to ensure that undue financial hardship is not imposed on an organisation.”
Karen concludes: “Organisations need to comply with the law, ensuring that they carry out appropriate risk assessments, audits, have adequate procedures and policies in place, have clear lines of accountability and adequately train their staff”.
For more information or advice on how to comply with the DPA, contact Karen Harrison at Nelsons on 0115 851 1286 or by email at karen.harrison@nelsonslaw.co.uk
