It is often said that technology is the problem and the solution. This is surely appropriate for data security. After all, more than 95 per cent of corporate data is held electronically.
Perhaps the best approach is to distinguish between data security – preventing unauthorised disclosure – and litigation/regulatory readiness – managing authorised disclosure effectively. The legal rules of data protection and the civil courts require those responsible for the relevant data to consider what technology is available to better avoid unauthorised and manage authorised disclosure. This fact alone dictates that IT and legal experts should communicate and collaborate.
The Data Protection Act imposes a duty to ensure an appropriate level of security. This involves a consideration of the nature of the data, and the likelihood of loss, cost and developments in technology. It is not sufficient for the risks around storing and using high volumes of electronic data to appeal to the legal framework alone.
The potential damage to brand and reputation is too often underestimated.
When 1,500 Standard Life savers’ personal details were lost en route between HM Revenue and Customs (HMRC) offices in Newcastle and Edinburgh, the data was encrypted to the highest degree. But two lost HMRC CDs containing Child Benefit Agency information were protected by only one password.
Subcontracting is another example of risk – one that led to Marks & Spencer (M&S) losing an unencrypted laptop and being found by the Information Commissioner to have violated the law.
What about the litigation/regulatory risk? Few organisations appreciate the burden, time and cost of a request from an opponent in litigation or from a regulator to produce documents. Most are blissfully unaware of what is involved.
What are you going to do when asked to produce substantial volumes of data against a tight deadline? Where is the data? How are you going to search for it? What happens if you do not produce files when requested but they subsequently come to light? The low priority accorded to this risk could prove disastrous.
What should companies be doing?
First, the risks must be appreciated and managed. Make data management an organisational priority. Instigate ongoing communication and collaboration between the IT function and the legal team. For example, is there a policy about the removal of mobile devices from company premises? What about the use of removable media such as memory sticks? Who is controlling that data?
Second, draw up and enforce appropriate policies that should be kept under constant review. Keep audit trails so that a course of action can be justified later if necessary.
The use of encryption is not as widespread as may be thought, as the M&S incident testified. Training is vital, and every contract within the organisation should be reviewed in relation to the data management risk.
Whether your technology is in-house or outsourced, those responsible will need to appreciate the different data protection laws in different countries, the prevention of over-writing backup procedures during the preservation and collection phase, and the challenges presented by differences in local language and culture where data has to be collected across continents.
Volume reduction is essential to confine data within reasonable parameters such as date ranges, file types, and relevance, to eliminate unnecessary duplication.
A documented and defensible methodology to justify decisions is indispensable. And project management skills to review the data for confidentiality, privilege and non-relevance is essential to stop costs spiralling out of control.
Legal teams must understand what technologies are available, and IT managers must understand the rules governing the retention, destruction and disclosure of electronically stored information.
What better way to start taking control than for IT and legal to talk to each other?
Mark Surguy is a senior associate at international law firm Pinsent Masons
Data protection disasters
* HMRC lost two unencrypted CDs containing the details of 25 million child benefit recipients. It appears that it was a breach of company policy to use the internal post (a courier) rather than recorded mail that led to the loss, and not a breach of any encryption requirement.
* M&S used a consultancy to prepare pensions statements. The evening before a meeting, the company’s data was downloaded to a laptop in unencrypted format, and the computer was stolen. M&S immediately put into operation an encryption programme for all its laptops.
* When Arthur Anderson staff shredded documents in connection with the Enron affair, the fatal damage to the company was caused by a failure to comply with a document-destruction policy. Had the shredded documents been destroyed in accordance with the policy, no complaint could have been made and the organisation would still be in existence today.
Available at: http://techlaw.computing.co.uk/
No comments:
Post a Comment