I’m going to go ahead and open with: I am not a lawyer. If you’ve had a data breach and you need to know if you should notify an authority, or the public, you should speak to a lawyer. Don’t take legal advice from a blog post. I was researching the requirement to disclose under UK law and I thought it was interesting so here are some (probably incomplete) notes to explain (my interpretation of) the current UK Law.
The primary piece of law which is applicable to data security is the Data Protection Act 1998 which defines 8 principles for the processing of personally identifiable information. Principle number seven is:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
It is the ICO who effectively enforce the act and they further the above by stating:
You will need to:
- design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
- be clear about who in your organisation is responsible for ensuring information security;
- make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
- be ready to respond to any breach of security swiftly and effectively.
So you must keep data secure and the ICO has explicit actions that are expected – however if you fail to keep data securely and a breach occurs, do you have to publicly disclose this fact? That’s an interesting question because under the Data Protection Act you do not, although under the Privacy and Electronic Communications Regulations (PECR) (an EC Directive) Service Providers do.
The PECR is pretty clear, Service Providers (such as an ISP or a telecommunications provider) must notify the Information Commissioners Office if a personal data breach occurs. However what if you are not a Service Provider then what are your requirements?
Well the ICO has a paragraph on this:
Under the Data Protection Act (DPA), although there is no legal obligation on data controllers to report breaches of security, we believe that serious breaches should be reported to the ICO.
So what constitutes a serious data breach? The ICO gives an example in their guidance where an attacker could have potentially accessed over 1000 records. Unless those records are particularly sensitive, or have the potential for hard to the relevant data subject. A more sensitive record could be one that includes national insurance number, or passport number, for example.
A potential data breach is important here as, say an administrative account is compromised then potentially all records have been breached, it would be up to the breached company to prove otherwise. This could be done from database logs for example, if those logs can be shown to be trustworthy – i.e. are not themselves compromised.
Also bear in mind with breaches attackers have previously been shown to perform more complex attacks, such as using Distributed-Denial-of-Service attacks being paired with data breaches to act as a distraction, or BotNets being used to distribute ransomware. Security Incidents should be fully investigated and ensure that the situation is treated accordingly and that you’re not just treating the visible symptoms.
Under ICO guidance a breach notification should be submitted within 24 hours, however for a number of real world breaches this is unrealistic as many steps need to be followed through such as gathering the actual details of a breach, informing internal parties and determining the amount of data and types of data that may have been breached. The ICO has commented that it would prefer a full picture of the breach and not an initial disclosure and then a follow up report. Therefore if it is not “feasible” to comply within 24 hours a disclosure “without undue delay” may be taken, where full details are supplied quickly with an appropriate reason for the delay.
So if you are not legally required to notify in the event of a breach, why bother? Well the ICO Statutory Guidance on the issue states in relation to determining the size of the fine for a breach the following will be taken in to account: “What steps the person had taken once they became aware of the contravention (for example, concealing it, voluntarily reporting it to the Commissioner, or not taking action once the commissioner or anther body had identified the contravention)”
Once a breach has been reported to the ICO, either voluntarily by the organisation or by a third-party aware of the breach, the ICO may: Work with the data controller to ensure within a certain timeline that compliance is achieved, they may issue an enforcement noticed to compel the company to comply within a fixed timeline (failure to comply is a criminal offence), and they may issue a Section 55A fine of up to £500,000.
That’s it – It seems that, through my research, a company is not legally required to disclose a breach to either the data subject or the Commissioner (unless they are a Service Provider and therefore come under PECR) however even so it is likely, (in the case of a breach of sensitive data or a breach of 1000 records or more) a very good idea to ensure a report is filed.
However, I am still not a lawyer.
So the worst has happened, how do you report a breach? You can report a breach to the ICO here.
Want a little more information from the ICO about what types of breaches are and are not reportable? Take a look at their guidance here.