Hardly a day goes by without a new story about another cyber-attack, leaked or hacked passwords or log-ins.
The 7th principle of the Data Protection Act 1998 mandates that
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
Many of the leaks and hacks relate to information which falls squarely within the definition of “personal data”. The question is whether organisations are meeting their obligations under the 7th principle. It is a “big ask” as hackers are resourceful and continuously seeking and finding ways to circumvent protocols and technology that was previously considered safe and secure.
One of the major problems in the battle against cybercrime is that there is no absolute universal security standard. Thus, hackers will always look for the weakest point in any security chain. Recently it was reported that thousands of Tesco.com usernames and passwords were gathered by hackers during cyber-attacks on third party websites and the hackers then tried to use the usernames and passwords to access Tesco.com.
Sometimes, leaks are inadvertent as evidenced by the recent accidental disclosure by Tesco of hundreds of customer email addresses whilst apologising for a pricing error. Instead of using the “bcc” field Tesco included all of the recipients’ email addresses in the ‘to’ field.
There are also data security questions relating to the transfer of data outside the EU to countries which aren’t as mindful of protection of personal data. This is reflected in the 8th principle of the Data Protection Act 1998 which provides that
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
To address this concern, the US introduced the voluntary “Safe Harbor” scheme under which entities voluntarily commit to abide by principles similar to those enshrined in our Data Protection Act. However, in a recent ironic twist, a draft report by the European Parliament’s Civil Liberties, Justice and Home Affairs Committee on US National Security, the European Commission was leaked and this draft has cast doubt on the reliability of Safe Harbor citing numerous deficiencies and loopholes. As the USA is probably the leading cloud hosting provider in the world, this highlights all sorts of issues for EU companies which directly or indirectly transfer or store data in the USA.
Data Controllers should bear in mind not only their legal responsibilities under the Data Protection Act regime but also that the Information Commissioner now bears teeth with the power to impose fines of up to £500,000 on those who fail to comply.
Simon Halberstam