Thursday, 16 June 2011

Comprehensive compulsory data breach notification? That’s not the way to do it.

I nearly choked while sipping the celebratory drinks at the end of an excellent Security Forum meeting at the offices of Field Fisher Waterhouse, sponsored by Sophos, this evening, on being told that some of the more controversial remarks I had made during my presentation had already been widely reported on the internet. Dan Worth from V3 was present, as was Warwick Ashford (Computer Weekly) and Dan Raywood (SC Magazine). They were explaining what the press write about following a data security breach or data loss. I hadn't expected Dan Worth to be so kind as to write about me. Let alone, to publish it so quickly!

I had a real problem with my presentation, as I knew that I was following James Lyne, the Director of Technology at Sophos. He’s a fantastic and motivational speaker, and had the audience in the palms of his hands as he brilliantly explained how data can go walkies.

My slot, just before lunch, was billed to be all about how the company I work for is handling the first Pan-European breach disclosure regime, and I needed my presentation to land just as well as James's. But how?

Well, I went for broke. I threw caution to the winds, and first explained how passionate my company was about reducing the incidence of data breaches, and much I cared about our customers. I also explained that I was far more interested in making sure that our customers were aware of serious data breaches that affected them, rather than focussing on creating a process which diverted scarce resources to ensuring that even the smallest data breach, even one affecting just a single customer, was routinely reported to the Information Commissioner's Office. I don't want to get bogged down in trivia. My preferred approach, of reporting only serious breaches to the ICO, is also one that the ICO has been advocating ever since August 2007. And, from what I can tell, that’s also been the Government’s position too.

At least it was the Government's position until a few weeks ago, when it had to implement an EU directive that requires communication service providers to report all breaches to the regulator, not just the serious ones.

The ICO’s current guidance on implementing these regulations is hard to follow. While it is determined to consider imposing fixed monetary penalties on providers if they don’t meet their obligation to notify the ICO of breaches without undue delay from 26 June (just ten days to go), it’s really hard to work out whether a notification threshold still exists, or not. The ICO’s guidance on Enforcing the revised Privacy and Electronic Communications Regulations (PECR) published on 25 May, set out the Commissioner's position: Following consultation with service providers, he will be issuing guidance on their detailed application, but the basic requirements are clear from the 2011 Regulations. They are also in line with the voluntary breach notification system currently operated by the Commissioner.

So I take it from this that the Commissioner expects service providers to adhere to the new PECR requirements, which are to notify all data breaches, while at the same time respecting the current voluntary breach notification requirements, which are basically to notify him only of data breaches involving at least 1,000 victims (or fewer than 1,000 if any sensitive information is included in the breach).

So, is there a threshold or not?

The guidance also carefully explains that: The Commissioner will ... continue to ... adopt a targeted, risk-driven and proportionate approach to the use of his powers. It also means being selective with the key driver for action being concerns about significant actual or potential detriment caused to individuals by a failure to comply with the requirements of PECR. Perhaps this means that the Commissioner will expect, but will turn a bind eye to failures, to notify the non-serious breaches.

I also explained to the extremely attentive audience that I was most concerned that some people may make Freedom of Information requests of the ICO to ask about the volumes of data breaches reported by service providers – and they could use this data to write wholly misleading stories if the information from the ICO failed to break down the notifications into “trivial” and “serious” breaches. Service providers have many millions of customers, so of course there are occasions when minor mistakes are made, say when an automatic envelope stuffing machine mistakenly pops two marketing letters, addressed to different people, in the same envelope. But is that really a reportable breach? And might it not paint a wholly incorrect picture if FOI statistics revealed the numbers of breach reports made, rather than the potential harm that could have been caused to people as a result of these breaches?

Dan Worth quite brilliantly drew attention to this lunacy in one of his recent articles, reporting that Barnet NHS Trust was responsible for 187 data breaches in past three years. And, apparently, the best performing Hospital Trusts in London were the Royal National Orthopaedic Hospital Trust, NHS Croydon and NHS Havering, all of which suffered no data breaches in the past three years. Is this really the case – or could it be more accurate to suppose that Barnet NHS Trust really has got a grip on things, and it has a proper breach notification system in force, while NHS Havering have just swept all its breaches under the carpet?

I concluded my presentation today by suggesting a pithy way that Stewart Room and his colleagues at Field Fisher Waterhouse could highlight the problems that are posed by the mandatory notification of all breaches to the ICO’s enforcement team. Many responsible data controllers have internal reporting systems in place, proper breach notification registers and policies, as well as excellent training and awareness programmes for all their staff. If the ICO wants to visit them to audit their standards, they may be very pleasantly surprised about the levels of awareness and maturity that exist in these organisations.

So, I suggested that Stewart might like to invite the ICO’s enforcement team to London in December to attend the FFW’s Data Protection Pantomime,. Here, they would witness a scene - in Act 1 - where the eponymous hero (played by Stewart), delivers an Ode to the Pantomime Dame, which lays out the issue in a way that even the enforcement team can understand.

The Pantomime Dame can be played by Mick Gorrill, formerly Head of the ICO’s enforcement team, and is now an FFW Consultant.

This piece of data protection doggerel is entitled:

Roll up, Roll up
Take a butchers at my breaches, and all will be revealed

We’ve been working on our systems
Now we think we’ve got a grip
On meeting the requirements
And still running a tight ship.

It’s all legal and transparent -
You can see just what’s gone on.
It’s in this register before you
Have a look – it’s not a con.

It’s all in hand, dear enforcement team:
I would really be so bold
As to say that most of our mishaps
Fall below your reporting threshold.

Now, don’t memorise our records
Or take pictures from your phone,
Because if we catch you doing this
We’ll be sending you straight home.

Do we trust you? ... Well, of course we do ...
Not much has gone awry.
But these breach reports are serious -
And what we fear is the FOI.