2

While writing an essay I came up with this question. If a hacker steals data I keep on a server, can I be held liable by the UK data protection act?

Example, I have customers address' on my server and I believe to have taken the correct precautions to stop hackers (e.g. Firewalls, Proper encryption, all that is necessary) despite all that a hacker uses a brand new hacking method on me and steals that data to then sell it on.

Would I then be able to be held liable by the using the data protection act?

Alex Wilson
  • 31
  • 6
  • 2
    This question would be more suited to the law stack exchange as it relates to legal repercussions of a security breach rather than the breach itself – iainpb Jan 12 '17 at 15:56
  • Difficult one. The answer from a legal PoV might be different, but you could probably argue that reasonable precautions had been taken. You would still need to be a registered data holder, and obey notification regulations. – Matthew Jan 12 '17 at 15:58
  • 6
    I'm voting to close this question as off-topic because it is a purely legal question. It should be asked at law.stackexchange.com instead. – Steffen Ullrich Jan 12 '17 at 16:10

2 Answers2

4

IANAL, but it seems that you can't be held liable for a data breach as long as:

  • you can demonstrate that you took appropriate measures to prevent the data from being accessed,

  • you periodically review these measures to ensure they are up to date, and

  • you deal with breaches in an a suitable way (including informing the people that have been affected)

Here are a couple of extracts from the ico.org.uk website on the subject:

What does the Data Protection Act say about the right to compensation?

If an individual suffers damage because you have breached the Act, they are entitled to claim compensation from you. This right can only be enforced through the courts. The Act allows you to defend a claim for compensation on the basis that you took all reasonable care in the circumstances to avoid the breach.

What does the Data Protection Act say about information security?

The Data Protection Act says that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

This is the seventh data protection principle. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:

  • design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;

  • be clear about who in your organisation is responsible for ensuring information security;

  • make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and

  • be ready to respond to any breach of security swiftly and effectively.

Community
  • 1
r3mainer
  • 875
  • 7
  • 10
  • 1
    I could be mistaken but I understand that is one of the reasons RedHat is purchased (even though Centos is effectively the same thing and costs no money). When someone asks "can you demonstrate" and "do you periodically review", pull out your subscription. Show that you are signed up to get the latest security updates. – emory Jan 12 '17 at 22:05
1

Disclaimer I Am Not A Lawyer.

The main part of the question is certainly more on topic on law.se, but it has IT security implications.

I assume that the legal part will end to: you are liable for the security of the data unless you can prove that you have used all appropriate measures.

And I am pretty sure that except of some special case (mostly health related data) the appropriated measures are not listed... And even when some are, you should have a detailed security policy describing precisely what is done, when and how, and who is in charge of it. That may dangerous if your security level is low because it will be visible. But it could help because if the security rules are known you will be able to prove what you have done to prevent hacking.

Among the questions:

  • what about physical security?
  • is there a clean segregation between production machines and non production ones, how is this implemented?
  • is there a clean, physical segregation between production and non production network, what are the firewall rules on the junctions?
  • how is the peripheral protection implemented, firewalls, reverse proxies, etc.?
  • what about in-depth protection (what happens if one machine or application was to be compromised)?
  • who has access on production machines, and with which priviledges?
  • are the admins and operators made aware of IT security threats, and how?
  • what about the backup policy?
  • in case of remote administration what are the remote authentication procedures?
  • are those procedures reviewed, when, by who and are actions proposed and set up?
  • is there any followup on those actions?
  • is there a security officer in your organization and how can he/she maintains his/her competences?

I do not expect the above list to beexhaustive, but if you just say huh... when facing one, it will be hard to pretend that you have taken all appropriate measures...

Serge Ballesta
  • 26,693
  • 4
  • 44
  • 89