Google’s January announcement that it has uncovered a ‘sophisticated and targeted’ attack on its infrastructure is a timely reminder that the threat posed by hackers should not be minimised. This attack originated from China and led to Google uncovering a systematic breach of the security of certain Google user accounts linked to Chinese human rights activists. The attack on Google and its implication of state surveillance may be seen as esoteric, but it reveals a basic truth: any organisation which holds personal data on individuals must be prepared for the fact that the data has value, and is therefore worth stealing.
In fact data is commonly stolen with much more prosaic aims. The legitimate collection of personal data for marketing purposes is an expensive and time-consuming exercise. Much more attractive, especially if one is already breaking the law by selling pirated software, fake watches or regulated medicines without a prescription, is simply to steal that personal data from a legitimate organisation. Or, at least, purchase that stolen data from a pseudonymous seller in a murky Internet back-alley. This creates a ready market for hackers’ ill-gotten gains.
The Data Protection Act 1998 requires organisations which process personal data to take appropriate technical and organisational measures against accidental loss or destruction of, or damage to, personal data.
This requirement is sometimes read as a requirement to ‘have a firewall in place’. The risk with this interpretation is that responsibility for complying with this aspect of data protection law can fall through the gaps between the lawyers and the engineers. Lawyers think ‘job done’ when the server engineers tell them they have installed a firewall. Those engineers implement a firewall because they are told to do so by the lawyers. It is entirely possible that no further thought goes into whether a firewall is the most appropriate technical measure, let alone organisational measure, to keep personal data safe.
Like its real world name-sake, a standard firewall is a relatively dumb device: it maintains a barrier between the system and the outside world. Clearly, if an organisation would like the public to use its web site and electronic services, putting those services behind a barrier is not going to be very helpful.
It is common practice to open a door in the firewall to allow external users to access an organisation’s web site. The firewall still prevents outsiders from directly accessing your internal systems or administrative functions (eg the web server’s ‘root’ console, used for systems maintenance), but allows public users of the site to pass through that door. However, on that basis, the firewall offers no protection to the web site. The organisation needs to be confident that its web site is secure in its own right.
If your web site collects and keeps personal data in a database (eg mailing list subscriptions and e-commerce order processing) it will contain software code to process that data. This code often follows fairly standard and well understood patterns. It does not take long for those in the know to interrogate the site to discover the way it works and where its weaknesses may be. Therefore your data security is only as strong as the site software’s ability to withstand such interrogation without revealing security weaknesses. If that software is insecure then your compliance with the Act is potentially compromised.
For example, last month a programmer in Birmingham discovered a way to access the name, password, e-mail address, post code and other personal data of over 400,000 users of a brand name e-commerce web site. This was not a sophisticated ‘cyber-attack’ against that company’s firewall. This was data that was already made available on the web site, in a downloadable XML file via a software bug (possibly because of sloppy programming by the original developer). No standard firewall would have prevented that mistake as the file was made available on the web site to which the firewall had already permitted access.
The programmer who discovered this breach did not reveal the name of the compromised web site; instead he has reported it to the company in question. That company is fixing the problem, and may also be speaking to its solicitors about whether it should notify the Information Commissioner of its breach of the Act. Of course, a less scrupulous individual – a competitor, a disgruntled customer or employee, or a spammer – could have used that file for nefarious ends.
As well as the clear reputational risk this presents, it is now very likely that significant fines will be levied by the ICO for serious breaches of data protection legislation. This new regime will come in to force on 6 April.
There are a number of steps that an organisation can take to mitigate these risks:
· Develop a comprehensive security policy, with both managers, lawyers and software engineers coming together to:
o set out the risks and identify weaknesses and pressure points in the organisation’s use of personal data;
o outline the procedures to audit software, hardware and business methods to ensure that the risk of accidental disclosure of personal data is minimised;
o make sure that systems and processes are designed not to hold personal data for longer than is necessary;
o identify any necessary additional precautions that need to be taken; and
o give ownership of information security to an individual or team of people in the organisation who are in charge of ensuring that the policy is complied with.
· Invest in training:
o if an organisation’s programmers and data centre engineers are not well versed in information security issues they will be prone to make mistakes which can have serious consequences;
o it should not be assumed that security is taught to or clearly understood by programmers as part of university or college courses – often it is not;
o additional training can help programmers understand how to write software that is effective and secure;
o additionally, customer-facing areas of your business should be trained how to react to and escalate reports of breaches of information security.
· Obtain specialist technical and legal advice:
o all organisations should ensure that they are aware of their legal responsibilities, if necessary by getting advice from data protection solicitors; it is less than optimal to speak to them for the first time only once the Data Protection Act is breached;
o specialist technology firms, and also some major professional services firms, offer ‘penetration testing’ services whereby they will act as a hacker to identify and report upon weaknesses in your infrastructure – although often expensive this may be money well spent as it allows fixes on issues before they become problems.
Consider whether it is appropriate to adhere to a published set of security standards (for example ISO 27001). This will provide a comprehensive framework upon which to develop an organisation’s information security management system and processes.
It should also be remembered that any organisation that outsources its technical development and operation is still acting as a data controller under the Act, and is still legally and reputationally at risk from a breach. Your provider should take these risks as seriously as you do, and likewise should be taking steps to mitigate them. Whilst helpful protections can be won at the contracting phase (do you know what your contract says on this issue?) information security is an ongoing issue and it is entirely appropriate to raise it with your provider at any time.
It is all too easy for lawyers and engineers to think the other is in charge of information security. These issues should be dealt with by the engineers and lawyers together. With regular examples of breaches and poor practice in the news, and the likely move to beef up the Information Commissioner’s enforcement powers, it is time to check that this risk is being dealt with effectively. There’s no point building a firewall if you leave the door open.
Chris James is a solicitor with Macfarlanes LLP, practising IT, IP and general commercial law.