Each year, as part of a global trend-spotting exercise, Morrison & Foerster surveys its partners in different practice areas and geographies to compile reports on particular trends affecting our clients’ businesses. Although primarily focused on outsourcing trends, an interesting development over the past three years has been the growth in importance of data security and privacy laws around the world.
Data protection used to be regarded simply as a niche area of regulation, perhaps relevant only to limit the people to whom an organisation’s marketing materials could be sent or to impose restrictions on the transfer of data outside the country as part of an offshoring arrangement. That is no longer true.
Data privacy and security issues now pervade every organisation, and more than ever before, organisations face serious repercussions if they do not handle their (and their clients’ or customers’) data in the right way.
The growing importance of data privacy issues stems from three main factors. First, there has been an exponential increase in recent years in the amount of data held. This in turn has led to an incredible volume of laws, with new laws and regulations appearing almost weekly that gradually increase the requirements for organisations seeking to implement broad-ranging data security compliance programmes. Secondly, growing public and media awareness of data breaches has caused regulators and law-makers to impose greater consequences for incorrect data handling.
The scale of the issue
Last year was a bumper year for data breaches – especially those attracting mass media attention. One global bank lost a disc containing the personal details of 370,000 customers; t-Mobile, a subsidiary of Deutsche Telekom, lost personal data relating to 17 million German customers; in South Korea, GS Caltex call centre employees were accused of downloading and attempting to sell the names, social security numbers and email addresses of11 million customers; and in the US, BNY Mellon, a financial institution, admitted losing information relating to 12.5 million customers.
The risks of experiencing a data security incident now include financial costs (the costs of notifying individuals alone can be high), significant embarrassment or reputational damage for the culprit company or organisation, and the loss of future business.
As a result of the volume and impact of data breaches, companies are being more precise in their data security expectations. In many cases they have to be. For example, new regulations in some US states require certification by service providers that they have a comprehensive written security programme, and Spain already requires encryption of sensitive information when it is transmitted.
Increasingly, organisations are moving to encrypted data platforms, which is why we are already seeing specific provisions in supplier contracts requiring, for example, the encryption of service providers’ employee laptops and the encryption of sensitive personal data sent via email. We are also seeing requirements specifically limiting access to the fewest number of people necessary to perform the service, and limitations on remote access to data centres.
Data protection authorities around Europe are also beginning to recommend, and in some cases require, encryption as a necessary security measure for transfers involving
critical personal data and of all laptop computers containing sensitive personal information.
This trend will affect security requirements written into many future outsourcing and third-party supply contracts.
A further development in respect of data security – specifically in relation to financial data – is manifested in the new privacy standard issued by the International Organization for Standardization (ISO): ISO 22307:2008.
This is intended to help private and public sector organisations identify and mitigate privacy issues and risks associated with processing financial data of customers and consumers using automated, networked information systems. Particularly in light of the current focus on data security, banks and other financial institutions are requiring their service providers to comply with ISO 22307:2008.
In terms of supplier contracts, organisations are devoting more energy to incorporating new risk and liability provisions in contracts with their suppliers in respect of data loss (and the consequences of breaching data security obligations).
Companies are also seeking better assurance mechanisms that give them as much transparency and confidence as possible that any personal data transferred to a supplier is processed securely and in many instances raising the bar beyond what is statutorily required. This may translate into greater scrutiny and due diligence at the inception of a supplier relationship, more detailed provisions relating to data security and more assurances regarding obligations following a breach.
Notification of breach
The introduction of breach notification rules is currently one of the privacy ‘hot topics’ in many EU member states. Breach notification legislation exists in a number of countries and US states already – and requires public notification to affected individuals if their data has been lost by a data holder.
EU regulators are currently debating the need for an EU-wide requirement to notify regulators of data privacy breaches; the related notification triggers and thresholds; and the consequences of any such breach depending on its seriousness. Irrespective of the exact outcome of that debate, in 2009 we expect to see more companies requiring service providers to report immediately any actual or suspected data breaches, and to cooperate in the response to any data breach.
Businesses now realise that data security is not just an IT issue. However, management often focuses on the technical aspects of data protection; for example, should data be encrypted using 128 or 256 bit keys? But the most critical component of any data security programme is the people who come into contact with it.
Employees and suppliers can either be the weakest link or one of the best lines of defence against data security breaches. It’s important that data security practices focus on the risks posed by a computer hacker, but companies also need to make sure that they don’t overlook the risks posed by a careless or ill-intentioned employee.
Every organisation needs an integrated data security policy that covers risks arising from both technical failures and human foibles. Ultimately, data security breaches at some level within an organisation are inevitable, and companies should plan for them, so that they can mitigate risk and control the impact of the breach. It’s imperative that companies don’t wait until a data security breach occurs before developing and implementing a response plan.
Alistair Maughan is a partner in the London office of Morrison & Foerster and a member of the Technology Transactions Group. He is also chair of the firm’s Global Sourcing Group
This article first appeared in Legal Strategy Review, Issue 3