Disclosing Security Breaches In SMEs

For small and medium-sized enterprises (SMEs), the need to protect regulated data is a big enough headache. Now they must add to the pain with the coming decree under the new Data Protection Framework that when a breach occurs and such data leaks into the public domain, the breach needs to be disclosed to the Data Protection Office (DPO).

The need to disclose will be stipulated by coming changes in EU data protection regulations, which are to be implemented by in-country data protection bodies. For SMEs that centre their activity in the UK, this will be the DPO.

The proposals are currently in draft form and are unlikely to be finalised for a year or two, so there is time to prepare for their likely impact in terms of ensuring the ability to comply and what might be added to a given business’s workload.

The new stipulations are likely to include the following:

  • Where consent is required, organisations must explicitly ask for permission to process data, rather than assume it (this extends rules that the EU imposed on service providers back in 2011, mainly aimed at the use of cookies).
  • Individuals should have easy access to data stored about them, and it should be easy to transfer it from one service provider to another. Individuals will also have the right to demand that data about them be deleted.
  • Companies with 250 or more employees will have to assign a designated individual with responsibility for compliance.
  • Businesses engaging with cloud service providers should ensure that such providers meet data protection requirements;
  • Organisations must notify the authorities about data breaches as early as possible, “if feasible within 24 hours”, although some think this may be modified to “without undue delay”;
  • The suggested fine for companies found to be not complying in law will be up to 2% of turnover.

It is true that for SMEs dealing with a lot of regulated data, which for most will mean personally identifiable information and credit card data, the first two items on this list may lead to an increased workload. However, the other items should not cause too much concern, and most make good business sense anyway.

For any business, regardless of its size, data is a valuable commodity so it makes sense to have someone charged with ensuring both its quality and security.

The existing UK Data Protection Act (DPA) already requires any business to have such a person in place – it calls this person the “data controller”. To protect data, the controller needs to know what there is and where it is. This is getting harder as data volumes and the range of options for storing it grows, including the use of cloud-based resources and mobile devices.

It might be hard, but having up-to-date knowledge is not just about compliance, it is about ensuring the security of and having access to data that has intrinsic business value.

When it comes to engaging with cloud service providers, due diligence in their selection makes sense anyway. This should include checking on how they manage data. It is also being stipulated that cloud service providers cannot retain the services of a third party without permission from clients and that they should be ready to hand over data at the end of a contract.

All this means that cloud service providers which fall short will have to clean up their act to continue transacting in Europe. Some of these stipulations may lead to increased fees for cloud services, but overall, once the terms and conditions have been checked and agreed, many SMEs will find that well-provisioned cloud services are still a more reliable, more secure and cheaper option than running utility IT functions in-house.

There may not have been an explicit need to disclose breaches in the past, but the UK Data Protection Office had already laid down guidelines: “Although there is no legal obligation in the DPA for data controllers to report breaches of security which result in loss, release or corruption of personal data, the information commissioner believes serious breaches should be brought to the attention of its office.”

Furthermore, if there is an attempt to cover up a leak, data subjects (that is you and me, in our roles as private citizens) may be the first to find out, and the individual’s privacy is already enshrined in the Europe Human Rights Act – and most are not ignorant of their rights.

Research commissioned by IT security provider LogRhythm in 2011, reported the views of 2,000 UK consumers and concluded that they are “losing patience with organisations that endanger their customers’ data”, with 80% “concerned” about trusting organisations to keep their data safe.

As for fines, the DPO already has the power to levy fines of up to £500,000 for failure to take good care of regulated data, so for a company to be exercised by the proposed new proportion of revenue fines it would need to be earning £25m (the high end of the SME sector).

The evidence to date is that the DPO is being proportionate and levying fines well below the maximum even for larger organisations. The DPO has also stated it is “reviewing some of our other guidance in light of the [EU] report’s findings to ensure it is appropriate for the needs of SMEs”.

It should also be remembered that is not just the DPO and EU that require compliance; there are plenty of other pressures.

Another standard that requires disclosure and already affects many SMEs is the Payment Card Industry Data Security Standard (PCI-DSS). PCI-DSS compliance is required for any business that accepts payment card transactions. It is enforced via the major card brands (Visa, MasterCard, etc) and the obligation to disclose breaches is in their contracts.

SMEs cannot ignore the new legislation, but taking a positive approach to it and making sure the necessary measures are taken to protect data and that there are plans in place to respond when a leak does occur is in the interest of any SME and its customers, regardless of what the EU says.

Bob Tarzey joined Quocirca in 2002. His main area of coverage is route to market for ITC vendors, but he also has an additional focus on IT security, network computing, systems management and managed services. Bob has extensive knowledge of the IT industry. Prior to joining Quocirca in he spent 16 years working for US technology vendors including DEC (now HP), Sybase, Gupta, Merant (now Serena), eGain and webMethods (now Software AG). Bob has a BSc in Geology from Manchester University and PhD in Geochemistry from Leicester University.