IT teams 'need technical guide on data protection'
The technical measures that IT departments must put in place to ensure customer information is secure enough to meet data protection rules must be spelt out in official guidance.
Law firm Pinsent Masons, which sounded the call yesterday, was responding to the Information Commissioner’s Office decision to impose a £250,000 penalty on Sony for breaching the Data Protection Act. The maximum fine the office can impose is £500,000.
According to the ICO, a cyber attack on the company’s PlayStation Network in April 2011 put a huge number of consumers at risk of identity theft, but could have been prevented if Sony's software was up-to-date and if technical developments hadn’t made passwords unsecure.
“There’s no disguising that this is a business that should have known better,” said ICO’s data protection director David Smith.
“It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.”
But Pinsent Masons’ data protection expert Marc Dautlich believes it is the ICO which needs to do more, specifically by issuing guidance on the technical measures that constitute “appropriate technical and organisational” security measures, as the law stipulates.
He explained: “The Sony appeal could be extremely interesting as it may provide an insight into what the ICO considers to be an appropriate standard of security that organisations have to have in place, particularly as it is a case involving a company in the private sector.
“Organisations are increasingly subject to malicious attacks and clarity from the ICO is needed about just how good security needs to be to meet the requirements of the DPA.”
Following the breach, acknowledged by the ICO as a “determined criminal attack”, Sony has rebuilt its Network Platform to ensure that the personal information it processes is kept secure.
“The penalty we’ve issued today is clearly substantial, but we make no apologies for that,” maintained the ICO’s Mr Smith.“If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn’t happen”.
Nevertheless, Pinsent Masons hinted that spelling out now what constitutes “appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”, could save the ICO extra work in the future.
“This is an important issue at the moment” said the firm, “but it will come even more into focus if all organisations are mandatorily obliged to report data breach incidents as would be the case if proposed reforms to EU data protection laws are introduced as currently drafted.”