'One Of Our Laptops Is Missing' - The Risks Of Data Loss And How To Prevent It

Introduction

The European Consumer Commissioner has recently described personal data as "the new oil of the internet and the new currency of the digital world". However, if data is handled incorrectly, lost or misused it can quickly become a toxic liability for companies and bring them to the attention of the regulators with adverse financial and reputational consequences. In this article, we consider what lessons can be learned from previous reported breaches, what practical tips organisations can follow to help prevent data losses, what the regulators' approach is to the issue of lost data and what to do if a breach occurs.

Data losses and/or unauthorised access to data can be the result of a number of factors including technical security failures, stolen equipment, hacking, an employee losing a laptop or papers, or rogue employees actively misusing data (eg the recent incident where a T-Mobile employee sold customer data to rival companies.)

T-Mobile are not alone however. One needs only to glance at recent newspaper headlines...

"HSBC fined £3m by the FSA over data security", "FSA fines Nationwide £980k for information security lapses", "ICO raps insurance firms for data breaches"...

These show that the problem of data losses (and its consequences) are very real in the financial sector.

Regulatory Bodies – FSA/ICO

The main regulatory bodies to be aware of are the Financial Services Authority (FSA) and the Information Commissioners Office (ICO) who enforce and monitor compliance with the Data Protection Act 1998 (DPA).

The DPA includes a set of "good information handling" principles which apply to the use and holding of personal data (ie data that can be used to identify a living individual). The seventh of these principles requires data controllers to take "appropriate technical and organisational measures to protect personal information against unlawful or unauthorised use or disclosure and accidental loss, destruction or damage".

With respect to data breaches, the FSA's remit can be seen to go wider than the ICO's. This is because the FSA has a statutory objective to reduce financial crime. The FSA will therefore be interested not only in any loss of personal data but any loss of data which could be used to access account details (ie credit card details) and any data which could be used for impersonation or to create a false identity (names, dates of birth, NI number). This would extend to data about companies which is not "personal...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT