Following the embarrassing loss of 25 million child benefit records by HM Revenue & Customs in late 2007, the security of personal data is in the spotlight once more. But few companies are aware of just how damaging such a breach can also be to their IP assets, says Macfarlanes’ Sarah Needham.

The recent furore surrounding the loss of 25 million child benefit records by the UK’s HM Revenue & Customs, as well as other highly publicised data losses by the Driver and Vehicle Licensing Agency and the Department of Health in 2007, has put compliance with data protection law in the spotlight. But few companies are aware of just how damaging such a breach can also be to their IP assets.

A data security breach can occur for a variety of reasons, whether as a result of loss of equipment or ineffective security measures controlling access to online data. Organisations which process personal data must take appropriate measures to manage the risks of such a breach. In the UK, this is regulated by the Data Protection Act 1998 (DPA), which applies to ‘personal data’ that is stored online or in a well structured filing system off-line, and which relates to living individuals who can be identified from that data (for example, a medical record).

Managing risk
Among other things, the DPA obliges data holders to: submit a notification to the Information Commissioner (IC), the UK regulatory authority for data protection, comply with the eight ‘principles’ laid out in the DPA, and put written agreements in place with any data processors to guarantee that they ensure adequate security of that data.

But despite this, the UK enforcement regime lacks teeth; at present the UK IC can only give a slap on the wrist for most breaches of the DPA by serving a notice on miscreants, requiring them to comply with the DPA or to sign an undertaking agreeing to comply with the DPA in the future.

The Financial Services Authority has its own regime to punish data breaches and in February 2007 fined The Nationwide Building Society £980,000 for data protection breaches involving the theft of a laptop.

Third parties affected by the breach do, of course, have the right to bring an action for damages for financial loss and distress under the DPA. But court actions are extremely rare and most companies evade financial sanctions for data breaches in the UK, unless they are also regulated by other regulators; for example, the Financial Services Authority has its own regime to punish data breaches, and in February 2007 fined the Nationwide building society £980,000 for data protection breaches involving the theft of a laptop containing customer data from an employee’s home. However, it is likely that the UK will eventually move to a stronger regime.

The European Commission has already complained to the UK government about the lack of enforcement powers given to the UK regulator compared with other EU jurisdictions. Proposals under discussion in the UK include the requirement to: notify individuals of data breaches; the requirement for chief executives to sign off on compliance within his/her organisation (with failure to do so accurately being a criminal offence); unlimited fines for those who knowingly or recklessly fail to comply with data protection principles; and obligatory notification of security breaches by network operators and ISPs.

But, it’s not just in the storage of personal data that companies need to re-evaluate their processes. As well as infringement of data protection law, data breaches also have the potential to seriously impact bottom-line revenues, whether directly through the leak of ‘trade secret’ information or through the negative impact to reputation associated with data breaches.

Guard your assets
Key corporate assets – for example trademarks, employee details, trade secrets and corporate know how – are supported by a growing mountain of paperwork due to an increase in regulation, including the need to keep documents for litigation purposes and an audit trail for financial reasons.

But ready access to this data is a key commercial concern, leaving technology and business executives struggling to ensure their IT operations and business processes comply with complex governance mandates and are commercially workable.
For example, while smaller companies may store IP in a central database, international companies may have employees around the world involved in R&D and IP management, making it imperative to monitor traffic leaving and entering every location. For that reason, it is vital that businesses monitor the connectivity between enterprises, customers and business partners who transfer valuable information about their key assets.

Ultimately, the best solution is to use your employees as IP guardians; if your employees are aware of the IP that you own and how it is infringed, they will take better care when sending information that could compromise the value of that asset.
They – and your customers – can also be invaluable in recognising and reporting infringements of your rights.


This article was first published in IP Review, issue 22

User Comments

Post a comment