On Thursday, Datonomy attended the Data Security Masterclass held by Olswang LLP at its Reading offices. The session was well attended by representatives from a range of industries including the telecoms and financial services sectors – both of which are of course subject to rigorous regulation in this field.
After describing the range of circumstances which can give rise to a data loss, Marc Dautlich (partner and head of Data Protection) spoke about the importance to organisations of having in place both a prevention plan and (should the worst occur) a response or mitigation plan. From a straw poll, around half of the group believed that their organisation had the former in place, but only a third had the latter.
Dan Tench (partner in the Litigation & Arbitration Group) went on to address the range of legal concerns involved, both: (i) against a party who has obtained or leaked data, and (ii) in response to a claim or allegation of lost data. The audience was particularly interested in the recent development of “unknown person” orders (otherwise known as “Spartacus” orders). These can be can be served using an email address or by describing an anonymous wrongdoer and usually require the wrongdoer(s) to identify themselves.
In terms of prevention and planning, the speakers highlighted:
- The range of technical solutions available which can help monitor whether data has been accessed or is being used by a third party. These should be combined with more traditional methods such as encryption and access control.
- The importance of having robust contracts in place with suppliers and partners setting out the standards they are expected to meet. The most common way of dealing with a failure to meet such standards or a breach of confidentiality is through an indemnity, along with a reservation of the right to apply to court for an injunction or specific performance.
- The growing trend for bespoke insurance covering “cyber-liability” or loss of sensitive data. This allows for a more realistic and accurate assessment of the risks involved.
There were also some useful tips on how to respond to a data breach, particularly the importance of collecting all facts (“triage”) and assessing all potentially relevant stakeholders (e.g. HR, IT, Compliance, PR). Questions were raised about whether the ICO might make the (currently voluntary) requirement to report data breaches mandatory following a similar development in the telecoms industry from May 2011. Were this to occur, it was thought that some assessment of the seriousness of the breach would still be required, taking into account the likely harm and distress that could result. It was therefore unclear whether this would signal a significant departure from current practice.
A recurring theme was the importance of the “organisational measures” used to protect data, a key concept under the Data Protection Act 1998. Even the best laid plans and detailed policies are unlikely to be useful unless they are readily understood and implemented by employees and suppliers/partners – hence the importance of training and carrying out regular audits.
Olswang thanks all who attended. A copy of the slides from the presentation can be found here.