The ICO told Out-Law.com that the new guidance would not set out specific guidelines on the technical measures businesses should have in place to ensure they comply with UK data protection rules, but that they would help explain what a number of organisations that have experienced a data breach, and which were found to have breached the Data Protection Act (DPA), "should have done differently" in order to comply.
News of the new guidance comes as Sony announced that it had dropped its appeal against a decision by the UK's data protection watchdog to fine it £250,000 over a data breach that affected millions of UK gamers.
Sony Computer Entertainment Europe (SCEE) said it was dropping its appeal because it was unwilling to reveal details of its network security in appeal proceedings before the Information Rights Tribunal, despite disputing the decision by the ICO to issue it with a penalty. It was anticipated that the case before Tribunal would have provided a closer insight into what the ICO considers are 'appropriate technical measures' for protecting the security of personal data.
In January the ICO determined that Sony was guilty of a serious breach of the UK's Data Protection Act (DPA) because it had not taken "appropriate technical measures" to protect the security of personal data stored on its PlayStation Network (PSN) which was stolen when hackers broke into its systems in 2011. The ICO also said Sony had stored "excessive" amounts of customers' personal data on the PSN Platform, in breach of the DPA.
Under the DPA organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". The Act also requires organisations to ensure that the personal data they hold is "adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed".
At the time Sony said it strongly disagreed with the ICO's findings, defended the security of its systems, and vowed to appeal its decision, but it has now revealed that it has dropped that appeal.
"After careful consideration we, (SCEE) are withdrawing our appeal," the spokesperson said. "This decision reflects our commitment to protect the confidentiality of our network security from disclosures in the course of the proceeding. We continue to disagree with the decision on the merits."
Although the Information Rights Tribunal proceedings in the Sony case may have provided some limited insight into what the ICO considers to be 'appropriate technical measures' for meeting data security requirements under the DPA, businesses should be focused on achieving more than the minimum standards for compliance, data protection expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said.
"Whether the technical and organisational measures companies have put in place can be said to be 'appropriate' to meet the Data Protection Act requirements is something that can only be determined in accordance with facts specific to each individual case," Wynn said.
"This is because what the ICO considers to be 'appropriate' is measured against a number of factors, such as what technology is available to companies, the financial resources at their disposal, the number of people affected by, and the harm to individuals stemming from a breach, how organisations respond when a breach happens, and what mitigating factors there are that can at least partially excuse businesses' failure to prevent breaches occurring," she said. "For example, it may be that the ICO may have looked more favourably on a smaller company should they have experienced a similar breach to the one Sony was victim to, as a global company with significant resources available to it."
"However, whether businesses meet the 'appropriate' standards of data security to comply with the Data Protection Act is almost a moot point. Businesses that experience data breaches are exposed to significant reputational damage and financial costs, of which regulatory penalties are just a small part. In addition, the disclosure of details of companies' security systems, vulnerabilities and fixes, highlighted by either the ICO or in Information Rights Tribunal proceedings, presents the danger that that sensitive information can be further exploited by hackers," Wynn added.
"Organisations should therefore not be focused on strict compliance with the Data Protection Act and whether what they have done meets the ‘appropriate’ threshold, but instead focus on putting in place measures and controls that will give them the best chance of actually preventing a breach and which will also contain and manage a breach should they be the victims of one," Wynn said.
The ICO told Out-Law.com that it does plan to issue new guidance on IT security to businesses, but said that precise technical standards would not be specified in it.
"The Data Protection Act requires ‘appropriate technical and organisational measures’ to be adopted in order to keep personal information secure," an ICO spokesperson said. "What constitutes appropriate would depend on a variety of factors ranging from the setup of an organisation’s IT system, the sensitivity of the personal data it contains and the resources available to the organisation. This would make it extremely difficult to provide a technical guidance document that meets everyone’s needs."
"Instead, we are currently working on a piece of guidance that will highlight previous IT security problems that have led to enforcement action by our office. The guidance will explain what the organisation should have done differently to keep people’s information secure. Once published we hope this document will provide some useful learning to all organisations, irrespective of the specific security setup they operate," they added.