Legal Developments

Living with a regulatory bear market

Recent Articles

Cloud Computing Effects of Data Loss Warning Signs Staff Vetting Information Theft Legal Developments Incident Response Preventing Data Leakage Social Networking Trusted Third Parties

A loss of confidence in data security is leading to a raft of new laws and regulations, says Stewart Room.

The aftershocks of a seismic 2003 California ruling on data loss are still being felt around the world. Under the breach notification law, which has since been widely adopted across the US and the EU, companies must immediately disclose a data breach to customers, usually in writing.

Spurred on by numerous high profile cases of data loss, governments are becoming ever more vigilant, introducing wider reaching laws and tougher sanctions. This cycle has been called a "regulatory bear market,” where those responsible for regulating data security have lost confidence in the ability of data owners (or those controlling data) to keep information safe.

In addition to law reform, these developments have also encouraged many new initiatives for best practice.

The changing balance of power

Breach notification laws are significant in that they transfer power from the data owner to the regulator and the consumer. The regulator is able to ask organizations for information, launch enquiries and if necessary hand out punishments. The consumer is also empowered to ask for information and has the potential to take legal action. He/she enjoys the added benefit of an "early warning system” that buys valuable time to safeguard finances, change personal details and so on.

Politicians are also keen on data security legislation as it offers an excellent opportunity for point scoring. Taking a tough stance is popular with voters and helps avoid the bad publicity that inevitably accompanies a major incident. The 2007 loss of data disks containing million of UK taxpayers' details was an embarrassing affair that undoubtedly damaged the government.

The threats from politicians have been far from idle. In 2009, the UK Financial Services Authority (FSA) fined a global banking group £3 million (US $5 million) for data security failings.

No let up

The pace of reform shows no sign of slowing down. The EU will introduce a compulsory breach notification scheme for the electronic communications sector, as part of a general overhaul of the regulatory framework.

Meanwhile "Privacy Enhancing Technologies”, or "PET,” is creating a greater role for IT in achieving compliance. This will eventually result in a new accreditation scheme for technologies that help to keep data safe. Encryption of data is also becoming mandatory in many countries.

In the UK the focus is on penalties and inspections. Those who threaten the safety of personal data could soon be facing a prison sentence, whilst the Information Commissioner now has the power to fine data owners failing to obey data protection principles. The Commissioner will also be able to enter premises in both the public and private sector, to inspect processing systems, gather evidence and interview people.

All of this activity is leading to one place only; more disputes and litigation over data security. Data owners and controllers that fail to adjust to this new landscape are bound to suffer more pain in the years ahead.

Barrister and Solicitor Stewart Room is a partner in Field Fisher Waterhouse's Technology Law and Privacy and Information Law Groups. He is President of the UK National Association of Data Protection Officers.

© 2010 KPMG International Cooperative ("KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.