Notifications data security breaches - UK

07 February 2007

Ruth Boardman, Rhian Hill

EU Regulation and the European Commission’s proposals for change

Current EU position

Article 17 of the Data Protection Directive states that data controllers should implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access and unlawful processing, especially where the processing involves transferring information over a network.

Under Article 4 (1) of the Directive on Privacy and Electronic Communications, (E-Communication Directive) a provider of publicly available electronic communications services must “take appropriate technical and organisational measures to safeguard the security of its service”. An appropriate measure is one that ensures a level of security appropriate to the risk presented. Factors that can be taken into account are the state of the art as well as the cost of implementation.

Article 4 (2) states that where there is a particular risk of a breach of network security, the provider must inform the subscribers of the risk. The provider must also inform subscribers of any possible remedies, including an indication of the likely costs involved.

Proposed changes

On 29 June 2006 the European Commission launched a consultation paper looking at the EU regulatory framework for electronic communications networks and services which included proposals regarding security breaches.

The Consultation Paper seeks to provide greater regulation of the security measures implemented by ISPs and network operators. The proposed changes would give Member States more responsibility to set appropriate standards for network security, as well as putting an obligation on ISP and network operators to state in their customer contracts what actions would be taken in response to security breaches.

Additionally, ISPs and network operators would be obliged to inform national regulatory authorities of any breach of security that would lead to a loss of personal data or interruptions to the service. They would be under an obligation to inform customers of security breaches leading to loss, modification, destruction of or unauthorised access to personal customer data. It is unclear from the proposals whether ISP and network operators would be under an obligation to disclose to all customers or only the ones affected by the breach.

The Commission is proposing this change to the Directive because the E-Communication Directive requires service providers to notify customers of risks to security but not of actual breaches of security. The Commission does not give practical examples of this distinction. However a situation can be envisaged where a network operator becomes aware that a hacker has exploited a weakness in its network and accessed an individual’s personal data. If it creates a fix for the problem, and there is no longer a security risk it will not have to disclose the failure to the customer. In practice however, a security risk and security breach will often be linked.

The UK

The legislation

The Data Protection Directive is implemented in the UK through the Data Protection Act 1998 (“DPA”). The DPA does not impose additional obligations other than those set out in the Data Protection Directive.

The E-Communication Directive is implemented in the UK by the Privacy and Electronic Communication Regulations (EC Directive) 2003 (the “PEC Regulations”). Section 5 of the PEC Regulations addresses security of information.

What is the technological standard for electronic communications networks in the UK?

The PEC Regulations state that a service provider must take appropriate technical and organisational measures to safeguard the security of the service. A service provider is only required to take such measures if the state of technological developments, and the cost of implementing the change is proportionate to the risks against which it would safeguard.

The Department of Trade and Industry (“the DTI”)has announced that companies that comply with BS7799 and ISO/IEC 17799 are also likely to comply with the seventh Data Protection Principle (which mirrors Article 17 of the Data Protection Directive). The DTI’s best practice recommendation for companies is that they ought to comply with BS7799 if the cost of doing so is proportionate to the value of the information and other risks to the business.

Who must disclose security risks in the UK?

This disclosure obligation applies to public electronic communications service providers, which are defined as either a provider of a public electronic communications network or a public electronic communications service. A public electronic communications network is a transmission system for the conveyance of signals of any description available to the public. A public electronic communications service is the way in which the network can be accessed. In summary, network operators (e.g BT and O2) are caught by the Regulations as well as ISPs (e.g Tiscali and NTL).

What must they disclose and when?

The PEC Regulations state that where “there remains a significant risk to the security of the public electronic communications service”, the service provider shall inform the subscribers concerned of:

  • the nature of that risk;

  • any appropriate measures that the subscriber may take to safeguard against that risk; and

  • the likely costs to the subscriber involved in the taking of such measures.

This information should be provided to the user free of charge, (except for the nominal costs a subscriber incurs while receiving or collecting the information, such as the charge for receiving emails).

The Information Commissioner’s Office (“ICO”) states that security is not to be regarded as being compromised if:

  • a disclosure is made in connection with the prevention or detection of crime;

  • a disclosure is made for the purposes of criminal proceedings;

  • communications are intercepted under an order made by the Secretary of State to intercept any communications as may be specified in a warrant;

  • a disclosure is made in the interests of national security or in pursuance of a court order.

To whom must they disclose the information?

The ICO’s guidance emphasises that the breach only needs to be disclosed to the subscribers concerned and not to all users of the service. At present there is no obligation on the ISP to disclose the breach to the Information Commissioner.

The UK’s response to the Commission’s proposal

On 2 November 2006 the Department of Trade and Industry submitted its response to the Commission’s proposal. Its view was that the Commission’s proposal significantly extended the scope of regulatory interventions in relation to security. The DTI argued that appropriate levels of security can be achieved through co-operation with industry and educating end users, and that therefore Member States should not set out in detail the security measures that should be taken by individual service providers and network operators.

The DTI agreed in principle with requiring service providers to inform customers of security breaches. However its view was that the notification requirement should only be in relation to breaches that result in personal data being disclosed, instead of breaches to network integrity and continuity of supply.

The DTI called for greater clarification of the exact scope of change envisaged by the Commission’s proposal.

The DTI also asked the Commission to review the data protection legislation as a whole and not to concentrate solely on service providers. It proposed looking at other breaches of security, such as bank details lost in the post, as well as breaches by ISPs and network operators.

The Information Commissioner’s approach

In August 2006 Richard Thomas, the Information Commissioner, in a radio discussion of security breaches, stated that the responsibility for changing the Data Protection Act would lie with the UK Parliament, and that greater debate was needed before making disclosure a legal requirement. The Information Commissioner’s view was that it was best practice to notify individuals of breaches.

The Information Commissioners’ Office is not able to collect information about security breaches at present as there is no obligation upon ISPs and network operators to disclose breaches of security to the Information Commissioner’s Office. Consequently there is no actual information about whether companies are disclosing breaches of security to customers when they happen.

Likely impact of the Commission’s proposal in the UK

The change proposed by the Commission, placing an obligation to inform customers of breaches of security, goes further than UK legislation. Although the PEC Regulations state that subscribers should be informed of risks to security, they do not have to inform of breaches. In reality this may make little difference, what is a security breach may also amount to a security risk and therefore should be disclosed under current legislation. However at present in the UK there does not (yet) seem to be a culture of ISPs and network operators disclosing breaches or security risks to subscribers. Therefore a positive obligation to disclose risks may significantly change ISP’s and network operators’ approach to security in the UK.

Authors