Securing company property and confidential information is vital if companies are to protect trade secrets and stay ahead of the competition. Safeguarding customer and employee data is also one of the most important provisions of the Data Protection Act 1998 (DPA), the seventh principle of which requires that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data.”
The level of security required is judged according to the state of technological development and the cost of implementing any measures, appropriate to the nature of the data being protected and the potential harm that might result from a breach. As a result, companies should have up to date security and IT policies and procedures, as well as staff training, to guard against the risks.
Companies using third party data processors, such as cloud storage service providers, to process data on their behalf, must choose processors who can provide sufficient guarantees that they will also secure the data appropriately. Since the responsibility for compliance with the DPA remains with the data controller, (in this case, the company), companies need to take reasonable steps to ensure that data are sufficiently protected. In practice, this means entering into a contract under which the data processor must (a) act only on the instructions of the data controller and (b) comply with equivalent security obligations to those imposed on the data controller. It is therefore common for businesses to retain the right to check on the security offered by third party service providers and to conduct routine audits, to ensure data are processed securely.
Of course, making sure that your own employees are reliable and can be trusted to protect personal data is also sensible, as required by the DPA and many industry regulators. The recently reported incident of a U.S. employee, who allegedly outsourced his work to China, apparently without detection, for years (until a security audit uncovered his fraud) is a rare, but stark, example of the human risk to data security. The employee involved is said to have been a model employee, who attended work as normal and appeared busy, but spent his workday viewing YouTube and browsing the internet, whilst his work was done by a company in China. The employee had provided his credentials, including his RSA security token, to his Chinese substitute, who was then able to access the company’s network and produce his work, in his name.
Enhanced security and technological measures are not enough, if employees deliberately fail to comply with the rules.