September 2014 update 

Cyber security is about risk reduction, not risk prevention. No system can ever be 100% secure, particularly when constrained by financial resources and the exposure to human error or behaviour.

The law governing data security is similarly not absolute. For example, the Data Protection Act 1998 ("DPA") demands that an organisation has "appropriate" technical and organisational security measures.

An organisation is left to determine what might be "appropriate" and a recent decision has highlighted the need for an organisation to continually review what might be "appropriate" in accordance with the ICO's guidance.

This month, the ICO criticised the Racing Post for falling short of the standard required by the DPA. Racing Post was subject to an internet based SQL attack which gave the attacker access to the personal data of over 600,000 customers. The ICO demanded that the Racing Post undertake to ensure that up-to-date security patches are in place and arrange regular security testing.

In sanctioning Racing Post, the ICO's decision emphasises the need to observe the specific technical security measures set out in the ICO's own guidance published earlier this year (see our June newsletter - the ICO's Top 8 Reasons for Data Breaches). The ICO's decision affirms that security assessments are not a one off event – they need to be regularly conducted and updated.

On the basis that an organisation will never be 100% secure, records of regular security assessments are crucial to defending reputation and legal liability. The inevitable nature of security breaches, regardless of financial and technical resources, was highlighted by the recent "hacks" of celebrity Apple iCloud accounts.

Over the last month, photos of 101 celebrities were allegedly obtained from Apple's iCloud before being published on photo sharing website, 4Chan. Apple immediately investigated the breach and determined that it was the users' passwords which were the weak link. If true, this hack is an example of how the most sophisticated security can be breached as a result of human error. Whether this incident was caused by the accidental disclosure of passwords, the use of insecure passwords, or the failure to regularly update those passwords, it highlights how hackers are willing to exploit the cracks in security caused by human error.

The Apple example also reminds us that where an organisation's security is reliant on a third party, it is important to ensure that the delegation of responsibility is expressly recorded in the contractual terms. This is something that we explore in more detail in our law report on Frontier Systems Ltd (t/a Voiceflex) v. Frip Finishing Ltd [2014] EWHC 1907.

For DAC Beachcroft cyber updates, please follow us at @legallnutt and @hillegal1970

For DAC Beachcroft privacy updates, please follows us at @DACBprivacy

Click any of the links below to read more ...

UK Developments

EU Data Protection Regulation Developments

Updates from around the World...

·         South Korean Amended Personal Information Protection Act ("PIPA") comes into force

·         Irish office of the Data Protection Commissioner ("DPC") issues audit process guide

·         Germany issues revised draft cybersecurity law

·         CNIL issue public warning to Orange France

Key Dates Calendar