Data loss? We have a policy for that

Zurich Insurance’s recent brush with the Information Commissioner’s Office (ICO), which saw it criticised for breaching the Data Protection Act (DPA), is but the latest in a series of incidents that have highlighted the embarrassing housekeeping practices of a number of financial services companies.

In case you missed it, in March Zurich was named, shamed and ordered to improve its data security. This followed an ICO ruling that it had breached the DPA after losing the personal details of 46,000 British customers when an unencrypted back-up tape went missing in South Africa while being transferred in 2008.

Zurich said there was no evidence that the lost customer details had been used to commit fraud.

However, the government appears to have finally lost patience with companies that fail to take proper care of personal details, providing brokers with a potentially lucrative business opportunity.

It has clamped down following high-profile data loss scandals, such as stolen or mislaid Ministry of Defence laptops – a total of 747 between 2004 and 2008 with at least one carrying top-secret briefings – and HM Revenue & Custom’s spectacular loss three years ago of information on 25 million families receiving child benefit.

Those cases involved public bodies, but the private sector has lost data, too: over the past two years, companies accounted for just under half of the 818 data breaches reported to the Information Commissioner, the principal regulator of the DPA.

Last month, the ICO was given new powers. These increase the maximum fine it can impose from £5,000 to £500,000, and firms found in breach of the DPA can also be suspended from trading. There is talk of custodial sentences being introduced for future breaches.

“There was a general feeling that the Information Commissioner was fairly toothless, and that you could lose confidential corporate information without much fear of a reprimand, but that is changing,” specialist insurer CFC Underwriting’s business development director, Graeme Newman, says.

“I think the recent changes are just the first step towards much more sophisticated and hard-hitting data protection controls in the UK and then across Europe.”

Double trouble

Until now, the ICO was seen as the poor relation of the FSA when it came to punishing firms that breached the DPA. The FSA’s remit is to reduce financial crime, which includes data breaches. When it came to enforcement, it had significantly more power to punish companies.

High-profile companies that have felt the wrath of the FSA for data breaches include Nationwide Building Society, which was fined £980,000; Norwich Union Life, fined £1.26m, and Britain’s biggest bank, HSBC, which was fined £3.2m.

Those penalties may look small in future – particularly for financial services firms – in the face of the ICO’s new teeth. Companies that are FSA-regulated could find themselves facing fines from both the FSA and the ICO if they breach the DPA, since there is no sign that either regulator will give credit for a fine imposed by the other.

In addition to fines, breaches of electronic data can also result in potentially expensive claims from those whose security has been compromised. Moreover, the cost to a company’s reputation following a data loss can be much more damaging than any punishment from the regulators.

So there are plenty of good financial reasons for businesses to ensure that they are taking adequate steps to protect the information they hold on staff, customers and suppliers in line with the DPA.

The act places a number of responsibilities on companies, and they must designate data controllers whose duty is to ensure that “appropriate technical and organisational measures” are in place within a business to protect personal information from “unlawful or unauthorised use or disclosure and accidental loss, destruction or damage”.

For example, the ICO has warned companies to ensure that any removable devices, such as laptops, USB sticks or even, in some cases, mobile phones, are encrypted if taken offsite.

Basically, to keep on the right side of the DPA, companies need a belt and braces approach. One of the ways this can be done is to gain accreditation from a recognised body. This demonstrates to customers and the regulator that a company has implemented and reached respected standards.

Getting protection

“You have private sector bodies, such as the Payment Card Industry Security Standards Council,” Newman says. “They have a standard that governs data security for anyone that stores or processes credit card details – effectively that’s all the retailers across the world.”

Earlier this year, healthcare insurer WPA became the first UK insurer to be accredited with the British Standards Institute (BSI)’s International Standard for Information Security Management.

“More than half of our business is corporately funded, and a lot of large companies ask a lot of questions about your information security, so you need to be on top of it,” WPA chief executive Julian Stainton says. “We set out to attain the BSI accreditation, complete with its external audits and other safeguards and procedures.”

Stainton says that improving data security to gain the accreditation required a change in mindset in the way staff hold and manage data. “It’s not just data in the classic computer sense of the word,” he says. “In addition to documents, letters, computers and laptops, you’ve also got to consider iPhones, BlackBerrys and emails. All have the potential to cause a problem if your processes are not managed correctly.”

For the less vigilant, there is always insurance. Cover is available to enable brokers to help clients protect themselves against a scenario when their data protection systems fail.

“We’ve had a cyber-liability product available for about 10 years, designed to protect companies against liability they could face from losses of data,” Newman says.

“In the UK, if there was a lawsuit brought against a company for the loss of third-party data, that could be covered. If there are fines which are insurable under the applicable law, they could be covered as well.”

Legally allowed

Unfortunately for financial services companies, however, FSA fines are not insurable.

Newman adds that the industry is seeking clarification as to whether ICO data protection fines are insurable under UK law. In Spain, which until now has had tougher data protection laws than the UK, fines imposed by the information commissioner are insurable.

Newman says: “We can only insure fines where we are legally allowed to do so. For example, the civil fines issued under the PCI Data Security Standard are contractual fines and hence insurable.

“Contractual disputes can also arise between businesses over non-disclosure agreements. If you look at insurance brokers, they have a contractual obligation to clients to keep data secure; they also tend to sign lots of non-disclosure agreements.

“ When you have a breach of data, whether personal or commercial, it can often give rise to a breach-of-contract claim under those non-disclosure agreements. But, again, that can be insurable.”

There is even cover to help a company protect its brand, often the most worrying aspect for a business that finds itself on the wrong side of the regulator’s attention.

“We also have a policy for public relations expenses, which is basically an emergency PR fund for firms,” Newman says. “Once you have a breach, the most important thing to do is to handle it appropriately in terms of the media. Emergency PR is part of that.

“It’s very hard to insure a brand value or insure the loss of future revenue, so the one thing we can do is provide a PR fund.”

US?style

The insurance market is fast becoming more sophisticated in terms of data protection, but it remains small in comparison to America. There, tighter regulation governing data protection is driving the insurance market to come up with new policies to protect businesses.

According to Newman, the US data protection insurance market is worth between $400m and $500m, and is predicted to grow tenfold over the next three to five years. He says: “It is hard to put a number on the UK market, but it’s probably around 5%-10% of the US market.”

That is likely to change as more legislation is introduced to tighten enforcement here.

Unlike the USA, there is no legal obligation for a company to notify the ICO or the FSA of any breaches in data security, unless they are deemed by the company to be serious.

However, ICO deputy commissioner David Smith has said that a European Commission review of data laws would require the implementation of so-called “data breach notification law” in the UK within the next two years.

It is unlikely to stop there. In the USA, companies are also required to notify individual consumers whose personal information has been compromised by data loss. It is extremely likely that similar legislation will arrive in the UK and Europe before too long.

Unsurprisingly, cover is available in the USA to offset the costs associated with providing notification to customers in the event of a breach.

Human error

So what can UK businesses do to keep on the right side of the DPA?

“In practice, there are things you can do to manage risk and prevent a breach, such as encrypting information, particularly when held on laptops and hand-held devices,” Newman says.

“At the end of the day, though, that data needs to be readable and usable. The fundamental problem is that humans use data and can be quite careless sometimes.

“It is impossible to get yourself in a position where you are 100% secure, unless you take your computers and lock them in a safe and never use them.

“It is easy to lose things, and most breaches are from something quite innocuous. That’s where insurance comes in.”

One-third of companies shun DLP technology

1. A report released last month by IT management software provider CA and research group Quocirca revealed that 64% of UK businesses are not using data loss prevention (DLP) technology, ranking the UK behind France, Ireland, and Italy.

2. UK companies expect data privacy and national security to be the two areas of regulation that will affect their business the most in the next five years, but they blame a lack of time, a “lack of compliance vision” and scarce resource availability for failing to address compliance issues.

3. Although the financial services industry is the biggest commercial spender on IT security, almost half of sector companies are unable to identify or classify different types of data. For example, if an email goes out of the network, they can’t tell whether it contains sensitive or non-sensitive documents.

The CA/Quocirca report, You Sent What?, is available for download from bit.ly/yousentwhat IT