You are on page 1of 17

Information TechnoIogy Law

PowerPoint Assignment
ata Protection Law
'The Reach of the Breach'
This presentation will brieIly outline the law
relating to data security breaches, note its
criticisms and discuss how the law might develop
in the near Iuture.
Introduction
W s Hickey notes, technological advancements over the past Iew decades
have '.undoubtedly jeopardised the privacy oI individuals on a global
level.
W The obligation to keep data secure stems Irom various diIIerent sources, Ior
example the constitutional right to privacy, the European Charter oI
Fundamental Rights and contract law.
W However, the most important security obligations concerning data
protection are those established by the Data Protection cts 1988 and 2003.
Hickey, "Privacy and Data Protection Law from an rish Perspective:
Are our Secrets Really Safe?, (2003) 3() Hibernian Law Journal 263
at 263

$ection 2(1)[d]
W $ection 2(1)|d| oI the Data Protection ct 1988 provides that:
W 2(1) data controller shall, as respects personal data kept by
him or her, comply with the Iollowing provisions:
(d) appropriate security measures shall be taken against
unauthorised access to, or unauthorised alteration, disclosure or
destruction oI, the data, in particular where the processing
involves the transmission oI data over a network, and against all
other unlawIul Iorms oI processing.
2
http://wwwirishstatutebookie//en/act/pub/0025/sec0002html#sec2
(accessed on /0/)
2
Appropriate $ecurity Measures
W $ection 2(c)(1), inserted by the Data Protection
(mendment) ct 2003 , explains the term 'appropriate
security measures by stating that a data controller:
W (a) may have regard to the state oI technological development and
the cost oI implementing the measures, and
W (b) shall ensure that the measures provide a level oI security
appropriate to
(i) the harm that might result Irom unauthorised or unlawIul
processing, accidental or unlawIul destruction or accidental loss oI, or
damage to, the data concerned, and
(ii) the nature oI the data concerned
3. http://www.irishstatutebook.ie/2003/en/act/pub/0006/index.html (accessed
on 19/10/11).
3
Appropriate $ecurity Measures
W $ection 2(c)(2) states that a data controller/processor must take
all reasonable steps to ensure that employees and other persons
at the place oI work concerned, are '.aware oI and comply
with the relevant security measures aIoresaid.
W s well as this, $ection 2(c)(3) compels data controllers to put
in place contractual controls with data processors and to
'.take reasonable steps to ensure compliance with those
measures.
uty of Care
W s.7 oI the 1988 ct created a general duty oI care on the part oI
the data controller/processor.
W There are no reported Irish cases on the matter, however
McIntyre draws a comparison to the case oI Gray v Minister
for Justice , which concerned the negligent disclosure oI
inIormation.
W Iailure to comply with this statutory tort can result in
liability to the data subject.
(2007) EHC 52

5
5 Mcntyre "Lessons from laptop loss: Legal consequences where
organisations lose personal data, (20) at 2 Available at
http://wwwtjmcintyrecom/search/label/data%20breaches
Large $caIe ata Breaches
W recent large scale data breach was that oI $ony
Play$tation Network in early 2011, which compromised
an estimated 100 million user accounts.
W Even including the subsequent data losses on the part oI
$ony it is not the largest breach oI all time, as the
Iollowing chart demonstrates.
6 "United States: data protection online privacy, (20) omputer
and Telecommunications Law Review
6
7 http://wwwinformationweekcom/news/security/attacks/2300657
(accessed on 6/0/)
7
Large $caIe ata Breaches
0
100,000,000
200,000,000
$9a9is9ics from research by Rasmussen College`s $chool
of Technology & Design
Records lost
http://wwwrasmussenedu/degrees/technology-design/blog/biggest-
security-breaches-of-all-time/ (accessed on 2//)

Limitations
W s McIntyre notes, the liability based regime has many disadvantages
when applied to large scale data breaches such as those discussed. Three
are discussed here:
W 1) rganisations do not wish to advertise the existence oI a data breach, Ior
example it took $ony approximately Three days to announce that there had
been a hacking and that a large scale data breach had occurred.
ithout speedy notiIications, individuals may not be able to take
protective action in time.
This limits reactions to being 'reactive as opposed to 'proactive.

Mcntyre "Lessons from laptop loss: Legal consequences where


organisations lose personal data, (20) at 3 Available at
http://wwwtjmcintyrecom/search/label/data%20breaches
0
http://technologygathercom/viewArticleaction?articled=27727
02 (accessed on 2/0/)

0
Limitations (continued)
W 2) &nder Irish law it is unlikely that one individual will have suIIered
enough damage to justiIy bringing an action, Ior example an individual P$3
account holder.
$hould class actions be introduced?
For example as Brimsted notes, there is a potential class
action against $ony in the &$.
W ) The scope oI s.7 oI the 1988 ct is unsatisIactorily unclear.
hat type oI harm does it cover?
This position can be contrasted against the English position which
expressly separates the duty oI care in cases oI distress` and damage`.

Brimsted, "Handling data security breaches -- is it time to revisit your


procedures?, (20) (7) !rivacy and Data !rotection 3 at 3
2
2 http://wwwlegislationgovuk/ukpga//2/section/3 (accessed
on 7/0/)
InternationaI Responses to
Limitations
W The $enate Bill 1386 ( CaliIornia 2003 ) notes that:
W 'ny agency that owns or licenses computerized data that
includes personal inIormation shall disclose any breach oI the
security oI the system Iollowing discovery or notiIication oI
the breach in the security oI the data . and that:
W 'The disclosure shall be made in the most expedient time
possible and without unreasonable delay .
3 http://infosencagov/pub/0-02/bill/sen/sb_35-
00/sb_36_bill_2002026_chapteredhtml (accessed on 7/0/)
3
ationaI Responses to
Limitations
W 2009 Minister Ior Justice, Equality and Law ReIorm
establishes a Data Protection Review Group.
W arch 2010 #eport of the Data Protection #eview
Group sets out that:
'The reporting obligations oI data controllers in
relation to data breaches should be set out in a statutory Code
oI Practice as provided Ior under the Data Protection cts. The
Code, broadly based on the current guidelines Irom the DPC,
should set out the circumstances in which disclosure oI data
breaches is mandatory. Failure to comply with the disclosure
obligations oI the Code could lead to prosecution by the DPC.
http://wwwjusticeie/en/JELR/Pages/WP000005 (accessed on
22/0/)

5
http://wwwjusticeie/en/jelr/dprgfinalwithcoverpdf/Files/dprgfinalwithcover
pdf (accessed on 22/0/)

5
ationaI Responses to
Limitations (continued)
W uly 2010 Data Protection Commissioner approves
Code oI Practice.
W This sets out a general requirement to notiIy the oIIice
oI the Data Protection Commissioner.
W This requirement will not apply where:
(i) less than 100 subjects are aIIected
(ii) all aIIected data subjects are notiIied
(iii) no sensitive personal/Iinancial data
(iv) lost data securely encrypted
ationaI Responses to
Limitations (continued)
W s ilkes points out, the intention was to make this
Code oI Practice a legally binding instrument,
however the '... required due process was not
Iollowed and as such the Code oI Practice remains
just that: a code oI practice.
W Despite this, the Code has set the ball rolling.
Importantly, it set the ball rolling in the right
direction, that is the same direction as the $enate Bill
1386 and Iurther.
6
6 Wilkes, "s Europe ready to take on a US style security breach
notification law?, (6) !rivacy and Data !rotection 3 at
ConcIusion
W The rise oI hacktivism` by groups such as nonymous
and Lulz$ec has lead to a sharp rise in large scale data
breaches.
W The silver lining` oI this rather dark cloud is that these
breaches highlight the Ilaws in our law which in time, it is
suggested here, will lead to change Ior the better.
W The recently introduced Code oI Practice, which was
discussed earlier, is a strong indication oI the direction
that Irish law will take.
7
17. http://www.economist.com/blogs/babbage/2011/06/internet-insecurity
(accessed on 26/10/11).
Thank You For Reading

You might also like