There has been plenty written, not least by Quocirca, on the danger of data loss and how to prevent it. Less has been said about how to clear up afterwards; when the measures taken to protect a business from such losses have failed or were not present in the first place. In particular the responsibilities an organisation has when it comes to disclosing that such an incident has occurred.

One of the reasons for this is that legal situation is a bit vague, so there is a temptation to think that the problem can be brushed under the carpet.  Organisations that do this may find themselves in hot water if details emerge at a later date, or at least hotter water than they would have been had the leak been reported in the first place.

For any UK based business, the first stop is the Data Protection Act (DPA) enforced by the Information Commissioners Office (ICO). The specific advice on the ICO web site with regard to disclosure is as follows:

“Although there is no legal obligation in the DPA for data controllers to report breaches of security which result in loss, release or corruption of personal data, the information Commissioner believes serious breaches should be brought to the attention of his Office. The nature of the breach or loss can then be considered together with whether the data controller is properly meeting his responsibilities under the DPA”

So that’s alright then, keeping hush-hush is OK? Not really, just because the “data controller” (that is the person in any given business charged with the security of personal data) is not required to report a leak, it does not mean that the leak has not occurred. If the problem comes to light at a later date, and this is when the ICO finds out, then he is likely to take a dimmer view than if the leak had been reported up front. And remember, if personal data is involved, “data subjects” (that is you and me, in our roles as private citizens) may the first to find out and their privacy is enshrined in the Europe Human rights Act (article 8).

Furthermore, the pressure to disclose was increased on May 26th 2011, at least for certain organisations. The “Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011” (PECR), specifically requires service providers to notify the ICO, and in some cases individuals themselves, of personal data security breaches. PECR was introduced mainly to target the use of cookies that internet service providers can use to gather personal data to personalise web services.

Beyond the DPA and ICO there are other pressures to disclose. For example, the Financial Services Authority (FSA) arguably obliges the firms it regulates to notify data breaches as part of their general reporting duties. Another standard that requires disclosure and already affects many businesses is the Payment Card Industry Data Security Standard it (PCI-DSS).

PCI-DSS compliance is required for any business that accepts payment cards – even if the quantity of transactions is just one. It is enforced via the major card brands (VISA, MasterCard, AMEX, Discover and JCB) and the obligation to disclose is in their contracts. For example VISA advises the following steps be taken:

• Contact law enforcement
• Contact bank
• Contact VISA fraud control
• Preserve logs
• Make notes of all these actions

VISA also advises:

“Make sure you have a written policy with an incident response plan and make sure all employees are aware of it”.

VISAs advice is pretty good for handling any data loss, getting control of the situation at early stage and informing effect parties makes sense for any data leak.

Beyond payment card data, there is plenty of other advice available.  Field, Fisher and Waterhouse, a law firm specialising in data protection law has a 10 point plan for handling the theft of a laptop. One point it makes is to have a media strategy, not just to get the media on side ASAP, but it may also be the most effective way of informing data subjects. This will depend on the nature of the data loss and if a criminal investigation is likely to ensue.

The trend towards an obligation to disclose data leaks is clearly happening on a number of fronts. However, even if you think a given circumstance you can get away without disclosing a leak, you would almost certainly be wrong to do so. A leak is a leak, whether you disclose it or not, it needs pro-active management from the moment it has occurred and your organisation needs to be prepared for the seemingly inevitable.

Quocirca will be presenting at the UK Infosecurity Virtual Conference on Sept 27th 2011 on the topic of “Responsible Data Braech Disclosure”, for more information go here.