Breach and Tell: First Thoughts

September 7, 2009

Tonight’s speakers were Stewart Room, a barrister turned solicitor and partner at FFW, the hosts for the evening, and Vivienne Artz, of Citigroup’s IP and O&T Law Group and Head of International (which seemed to mean EMEA+).

Stewart’s major point was that falling confidence in the regulation of data security and in national regulatory authorities (NRAs) had created a regulatory ‘bear market’. He foresaw increasing legislation, already evident in the Criminal Justice and Immigration Act, the Coroners and Justice Bill and the EU regulatory package to reform the electronic communications ‘six pack’, including Directive 2002/58/EC. This legislation would include more breach notification requirements, which would lead to more NRA action in response to breaches. In turn, simply based upon the law of averages, this would lead to more litigation and disputes as a result of judicial review and other appeals against NRA action and as a result of greater data subject activism. However, he had noted that there was no consistent message coming out of the Government, the ICO or the FSA on data security policy. He was not impressed by the ICO’s desire to catch ‘big names’ at the cost of good regulation (there was particular criticism, given his experience of recent cases, of ICO pressure to press for voluntary undertakings and criminal cautions).

Points that stuck in my mind: Stewart expected further regulation after the election. I am not so sure: it is not yet clear how far Cameron’s rhetoric in Opposition will translate into action, particularly regulatory intervention that some would argue will increase the regulatory burden on SMEs unnecessarily. It seems to me that the spirit of his 25 June 2009 ‘Giving power back to the people’ speech is not for more regulation. Stewart noted that breach notification was seen by politicians as a vote winner (his example being Arnie Schwarzenegger in California), but again I’m not so sure. Are Republicans/Conservatives really in favour of more regulation for business? Surely they press for self-regulation? Others may correct me, but I understood that Arnold Schwarzenegger had vetoed more than once a Consumer Data Protection Act in California.

Stewart thought breach notification would redress the balance of power between regulated entities and NRAs. This I do agree with; it being a step toward the almost universal weapon for NRAs in other regulated sectors such as telecommunications, where regulators usually have powers to demand information from industry players.  He believed that there would be a ‘name and shame’ deterrent effect as a result of notification and that breach notification would act as an early warning system.

Vivienne gave an insider’s view of managing data security breaches, with a scenario not too far away from what she must have experienced in Citigroup. The key lessons I picked up, maybe because they reinforced my own prejudices, are that ‘people challenges’ are an important element of data security. This is certainly my experience from military days, where personnel security/vetting was as important as technical security. No amount of technical security measures will prevent employees’ ability to cause a data security breach, either inadvertently (human error) or deliberately (disaffected staff/leavers). Technical measures can only reduce the risk of breach. Systems and management procedures had to be designed with a ‘WHEN’ mentality, not an ‘IF’ mentality for dealing with breaches. There needed to be senior level sponsorship of any management structure and procedures, with real internal penalties for failure to comply with data security policies and procedures. After every breach case there had to be a full debrief of the management team to make sure lessons were learned, ready for the next breach. This seemed to me to similar to BS7799/ISO 17799 type processes, with proper self-checking/quality audit steps.

It was a lively, full meeting. There was a lot to say, but Johanna Pimentel kept us to time!