 |
|
| Financial Law Update | Back to article summary. |
| What does security information really mean? | ||
| Anne-Marie Bohan |
||
| The recent news reports following the theft from Bank of Ireland (‘BoI’), over the course of a number of months, of four laptop computers containing the unencrypted personal data of thirty thousand customers, has focused attention once again on information security, most particularly from the perspective of data protection. While clearly an issue that needs to be to the forefront in the development of any information security policy, compliance with data protection obligations is only one of the legal requirements that needs to be addressed in formulating procedures for keeping information secure, writes Anne-Marie Bohan | ||
This is not to diminish the importance of data protection in fostering and ensuring information security. The fact that the Data Protection Acts 1988 and 2003 (collectively the ‘DPA’) only apply to ‘personal data’ relating to living individuals has not prevented the practical application of security standards, equivalent to those required under the DPA, to all confidential information held by financial and other organisations.
Where the information in question is personal data, the security standards imposed under the DPA will apply irrespective of whether the organisation with the information within its possession acts as a controller of the data, or as a processor on behalf of a third party. This is one of the few instances where the DPA imposes equivalent standards on controllers and processors, so the fact that the information may ultimately be the responsibility of a third party will not absolve a processor from failure to apply appropriate security measures. What security measures might prove ‘appropriate’ falls to be judged based on the factual matrix of available technology, cost, and most importantly, the nature of the data and the likely harm that might result from a security breach. The more confidential and sensitive (in the normal sense of the word) the data is, the higher the standard that will be required. For the financial services industry, where any customer data which is held would undoubtedly be viewed by those customers as highly sensitive, the bar will therefore be set high. And if the required standard is not met, not only will the financial institution be faced with a possible audit by the Data Protection Commissioner, it could also find itself facing a claim for damages based on breach of the statutory duty of care which the DPA imposes on all controllers and processors. As mentioned, however, data protection is not the full story when it comes to information security. For many in the financial services industry, the bankers’ duty of confidentiality, and indeed contractual confidentiality obligations, will also impact on the policies and procedures that have to be implemented. Nor should sight be lost of the requirements of the Electronic Commerce Act 2000, which mandate that there be a reliable assurance as to integrity, that the information be capable of display in intelligible form, and that it be readily accessibility, before that information can be considered ‘secure’ in the sense that an organisation can rely on it. Ultimately, one of the most practical issues which any organisation will face in keeping information secure will the risk which represented by staff and contractors, who deliberately or otherwise might cause a breach in an otherwise robust system. Having clear and enforceable internal communications policies, which form part of an employee’s or contractor’s terms, the breach of which could result in disciplinary proceedings and dismissal, is therefore a critical element of any information security framework. As is training of staff, which is in any event a key component of the security obligations under the DPA. One further aspect of an information policy, which is often omitted but which is of critical importance, relates to the process to be followed when there has been a breach. As highlighted by the BoI case, where it appears that internal procedures may not have been followed, it is critical that anyone having access to personal data and other information knows the escalation path, so that ultimately the organisation can ensure that it complies with its wider legal and regulatory notification obligations, and avoid, or at any rate minimise, the adverse publicity that routinely follows publicity about a breach of information security. In this regard, while the DPA does not currently impose any obligation on controllers or processors to notify either the Data Protection Commissioner or affected customers or individuals in the event of a security breach, it is interesting to note that the draft Directive on Privacy and Electronic Communications, which is limited to privacy issues in the electronic communications sector, contains a notification obligation which will apply to communications sector organisations. The European Data Protection Supervisor has, not unsurprisingly, advocated that this approach be extended more generally to information society service providers, including to the ‘online’ financial services sector. Imposition of a notification obligation of general application would also seem to be favoured by the Data Protection Commissioner, who is of the view that even absent an express obligation, security breaches should be notified as a matter of good practice. Given the far reaching consequences which may arise from lapses in security, not only for the organisation but also for individuals, a positive obligation to notify is likely to be adopted sooner rather than later. |
||
Anne-Marie Bohan is a Partner in the Banking and Financial Services Department and the Information Technology Group at Matheson Ormsby Prentice. She can be contacted by phone: +353 1 232 2000 or by email: anne-marie.bohan@mop.ie. Further information on the firm is available at www.mop.ie |
