Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

ICO offers guidance on security and breach reporting for eID and trust services

Businesses that provide services designed to show that electronic data is authentic and can be trusted have been issued with new UK guidance that outlines their obligations on security and breach reporting.08 Dec 2017

In its guidance, which concerns rules on electronic identification and trust services (eIDaS), the Information Commissioner's Office (ICO) said that the 'trust service providers' have up to 24 hours to notify it of "any breach of security or loss of integrity that has a significant impact on a trust service provided or on the personal data maintained therein".

The watchdog has provided a specific eIDAS breach notification form that trust service providers would need to fill out to report a breach to it.

"You do not need to report every incident relating to a lapse in security or integrity of a trust service," the ICO said. "However, where you have reason to believe that an incident has or is likely to have a significant (more than minimal) impact on the trust service or the personal data you hold, you need to: notify the ICO; consider whether to notify your users; and consider whether to inform anyone else who might be affected. If you are not sure about whether the impact of an incident is significant or not, it is safer to report the breach."

The ICO said businesses should still review their security measures even if the breach they experience does not have to be reported. It said the security measures trust service providers should have in place should be "proportionate to the risks it safeguards against".

"You don’t always have to have state-of-the-art security technology to protect your trust service, but you should regularly review your security measures as technology develops," the ICO said.

The watchdog said trust service providers need to "carry out regular risk assessments of the security of your trust services; identify and classify security risks according to degree of risk posed and the harm that could result; make sure you have appropriate technical security and organisational measures to mitigate those risks, including robust policies and procedures and reliable, well-trained staff; and respond to any security incidents that do occur swiftly and effectively to help prevent and minimise their impact".

Stiffer security measures apply to 'qualified trust service providers', which are businesses which certified by the ICO and which are able to use an EU trust mark to differentiate their service as meeting the higher standards of compliance that apply.

The additional obligations on qualified trust service providers include a need to ensure staff and subcontractors have "the necessary expertise, experience and qualifications" and that they have received "appropriate security and data protection training".

Further controls on access to data and internal processes and procedures to " support the security of the trust service and protect against forgery and theft" should also be implemented by qualified trust service providers, the ICO said in its guide.

The ICO was handed oversight responsibilities for the eIDaS regime last year. It has powers to grant and revoke qualified status for trust service providers established in the UK, report on security breaches, carry out audits and take enforcement action.

The Electronic Identification and Trust Services for Electronic Transactions Regulations came into force on 22 July 2016. The Regulations implement EU rules on electronic identification and trust services that were enacted into EU law in 2014.

The EU regulation is designed to promote mutual recognition among EU countries of national electronic identification schemes that may operate. It also imposes new security obligations on trust service providers as well as rules on authentication of individuals and privacy.

Trust service providers are companies that create, verify and validate electronic signatures, seals, time stamps, registered delivery services and certificates related to those services or certificates for website authentication, or which preserve electronic signatures, seals or certificates for such services.

Under the EU framework, trust service providers can apply for 'qualified status' and can display an "EU trustmark to indicate in a simple, recognisable and clear manner the qualified trust services they provide".

The EU rules also lay out standards for enabling electronic signatures to take on the "equivalent legal effect of a handwritten signature". Similar measures are designed to give recognition to electronic seals and electronic time stamps on digital documents to validate and verify online agreements.

Trust service providers in the UK that breach the e-ID regulations face being fined £1,000 by the ICO, although those businesses can raise an appeal before the Information Rights Tribunal.