In practice, security continues to be the key data protection issue with which businesses struggle to comply - all but one of the ICO's fines to date have related to security breaches.  Earlier today, O2 issued a notice on its website confirming that its IT service provider, IBM, had lost a back-up tape containing O2 corporate information and which may also contain O2 customer data.

The Background

The notice on O2's website, confirms that in September 2011 IBM misplaced a back-up data tape containing O2's data.  The breach was notified by IBM to O2 sometime during the summer of 2012 and O2 publicly confirmed the breach in December 2012.

The Issues

There are several aspects in relation to the O2 security breach which are concerning:

  • It took over six months for IBM (O2's 'data processor' for the purposes of EU data protection legislation) to notify O2 (the data controller) of the breach and somewhere around four to six months (seemingly, based on the information in the notice) for O2 to notify its customers of the breach.

  • The notice confirms that the information on the tape had not been encrypted (as regular readers will be aware, 'encryption' is a regular theme of ICO fines/undertakings) - O2 has confirmed that 'specialist technology' would be required to read data from the tape and that it contains a 'snapshot' of data which would have been held on O2's internal drives, which is likely to be O2 corporate information but may also contain customer data.

  • The tape has not been found & whilst O2 asserts that it may still be within a secure O2 environment, it cannot guarantee that this is the case (and effectively therefore, it doesn't know where it is or who may have access to it - a position which is far from ideal from a data protection compliance perspective and which the regulator - the Data Protection Commissioner in Ireland, in this case - will no doubt be concerned about).

  • O2 has suffered a number of high-profile data protection breaches over the past couple of years (including displaying customer phone numbers on unsecure websites) and holds the unenviable record of the organisation which received the highest number of data protection complaints between August 2011 and August 2012 (48 in total).  In an incredibly competitive environment where consumer trust is paramount, consumers are likely to be concerned about the ongoing issues within O2 relating to data security which have also resulted in voluntary notifications to data protection and telecoms regulators.

Our Views

This issue reinforces our previous guidance on security and the use of third party data processors (however big/well-established/reputable your data processors may be):

  • Ensure you have a legally binding contract with every data processor (even if they are simply holding back-up copies of your data) which obliges your data processor to keep your data secure and to immediately inform you of any actual/potential breach.

  • Remember that as a data controller, it is you (O2 in this case) that is responsible/liable under data protection legislation even if the breach is due to your data processor (IBM in this case) - it is vitally important that your people understand that you retain responsibility/liability for breaches which are caused by your third party data processors (and training is absolutely key in this respect).

  • Ensure that your contract also confirms the obligations of the data processor in the event of an actual/alleged breach i.e. what is it compelled to do (at its cost) to assist and co-operate with you, your advisers and regulators in order to investigate and mitigate the consequences of the breach and to put processes and procedures in place to minimise the risk of a similar breach re-occurring.

  • Regularly check compliance with the terms of the contract and ensure that security processes and procedures are adequate, are being routinely implemented and that any non-compliance is being monitored and reported - don't simply assume that your data processor will do this for you (even if the contract obliges them to do so).

  • Security breaches continue to be a fertile area in which the ICO will issue fines and require companies to provide undertakings as to their security measures and future compliance with the DPA.

  • Security breaches are also fertile ground for the press & may result in serious reputational/brand damage as well as having the potential to erode the relationship of trust which businesses will have worked hard to develop with their customers.

Whilst the DPA doesn't require businesses to ensure that personal data is never lost (as to do so would be impractical), it does require businesses to undertake appropriate and ongoing assessments of the security measures which they and their data processors implement and maintain in relation to data which they process.  This case will be of concern not only to O2 (and its customers) but also to other customers who entrust IBM (and other large & well respected IT service providers) to process their data securely.

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.