Several high-profile data security breaches have made the headlines in recent times involving the loss of personal information relating to hundreds, if not thousands, of individuals. In many cases the information was stored on unencrypted laptops that were either lost or stolen.
Mistakes do happen and most security breaches occur by accident. However, regardless of the cause of a data security breach, negative publicity is bound to follow. To avoid such unwanted media and public attention, it is crucial that all organisations have proper security systems in place to safeguard personal data from accidental or deliberate (but unauthorised) disclosure.
Data Protection Acts
Under the Irish Data Protection Acts 1988 and 2003 (which give effect to Directive 95/46/EC), where an organisation collects and processes personal data, one of the obligations is to keep that data safe and secure. Appropriate security measures must be in place to ensure there can be no unauthorised access to, or alteration, destruction or disclosure of, the data. But how can an organisation be sure that its security measures are appropriate from a legal perspective before it is faced with the reality that these measures fall short?
The legislation does not lay down specific security requirements that should be implemented to protect personal data, but instead sets out several factors to be considered when implementing and auditing security systems. Such factors include the state of technological development, the cost of implementing the security measures, the harm that might result from unauthorised disclosure and the nature of the data.
Organisations need to examine whether their IT security systems are in keeping with current technology security standards. The larger the organisation, the greater the expectation will be that it has invested in advanced security systems, and that it regularly updates and upgrades these systems.
While smaller companies might not have similar resources at their disposal, the security systems they have in place must nevertheless be appropriate and take into account the harm that would result from unauthorised access to the information. For example, there could be particularly disastrous consequences if customer credit card details fall into the wrong hands. The main concern of victims of data theft is whether their banking details will be misused and whether they will suffer financial loss. Extra safeguards should be in place where credit card or bank account details are processed by an organisation.
A sophisticated security system on its own will not suffice. An organisation is only as good as its weakest link, and all employees with access to personal information (such as customer or employee data) should receive comprehensive training to ensure that they fully understand and appreciate their responsibilities from a data protection perspective. The importance of staff training cannot be underestimated and employees should undergo repeat training at regular intervals.
Notification: A Matter of Best Practice
In Ireland, there is currently no statutory obligation to inform either the individuals affected by, or the Office of the Data Protection Commissioner of, a security breach. A Data Protection Working Group has been appointed by the Minister for Justice, Equality and Law Reform to advise on the most appropriate legislative response to data breaches.
Despite the absence of an obligation to inform, many organisations do inform the Commissioner and/or the Garda Síochána (the Irish police force) of the loss of personal data, as a matter of best practice. In the public sector, recent guidance from the Department of Finance on data security advises departments and agencies to report data breaches immediately to the Commissioner’s Office.
What to do if there is a Security Breach? Commissioner’s Guidance
The Data Protection Commissioner has also recently issued guidance on the steps to take if a data security breach is discovered within an organisation. The Commissioner recommends that as soon as it is discovered that personal data has been compromised – for example, through the loss of a portable device, misaddressing of mailings or a ‘leak’ from an organisation – they should be notified immediately.
The Commissioner recommends that the first issue to consider is the question of informing those persons directly affected by the loss and how this might be achieved. The Commissioner may also request a detailed report of the incident, including:
- the amount and nature of the data that has been compromised;
- what action (if any) has been taken to inform those affected;
- a chronology of the events leading up to the disclosure; and
- a description of measures being undertaken to prevent a repetition of the incident.
The Commissioner will investigate the issues surrounding the data breach. Such investigation may involve an on-site examination of systems and procedures. In particularly serious situations, an investigation could lead to the use of the Commissioner’s legal powers to compel certain actions. However, this is very much the exception and, according to the Commissioner’s Office, the experience to date suggests that investigations are conducted on a co-operative basis with the entity keen to respond on a voluntary basis to any recommendations that it makes.
The recent security breaches are a wake-up call for all organisations that hold personal data. When holding personal data time must be taken to check that security systems are up to date. Access to personal data should be restricted to authorised staff on a need-to-know basis. Computer systems should be password protected and personal data may need to be encrypted in certain circumstances. All staff members should be fully aware of the security measures in place and should understand the importance of complying with these procedures. Finally, if a security breach is discovered within an organisation, the company must act quickly to minimise the effects of such breach.