Third of organisations not prepared for security breaches If You Fail To Plan Then You Plan To Fail – It’s All In The Detail and data security strategy is no different, you need a system to escape the ICO’s financial penalties to be levied from April   London, 17th March 2010 : Ahead of InfoSecurity Europe opening its doors next month, one of its keynote speakers – Stewart Room, today offered organisations structured advice to keep them out of court, and avoid the £500K fine to be levied by the Information Commissioner from April, should they experience a security breach or data loss. This is an area where organisations inherently fail to plan as, according to results of an online poll conducted by Infosecurity Europe, a third f organisations admitted if they experienced a security breach tomorrow they do not have a system in place to adequately deal with the incident.  

Stewart’s advice is that as far as data security and handling is concerned, and in deed applies to any area where there’s a regulatory framework, organisations need to focus on two elements: the system and the operations.   The system sets out the organisations position on security through documented rules, policies and procedures; and the operations detail how the organisation implements the system in its day to day activities. The premise is that if the system is legally compliant and covers all the benchmarks within the legislation then the law says that operational failures can be excused.   That said, if you experience operational failure and a breach occurs, the law is then interested in whether the system in place covers containment, damage limitation and recovery. In Stewart’s experience it’s the system, especially this latter part, that has historically been ignored and it is on this point that many organisations face prosecution.   “Most organisations unfortunately don’t have good systems for actually managing the problem. If a breach occurs, the law is really concerned with your behaviour at that point in time. You can’t unravel the past and pretend the breach didn’t occur, it’s what you do from that point on that will determine your culpability” explains Stewart. “The law is about changing behaviours, so if you adopt an honourable stance from the outset, doing the right thing at the right time, then your legal team are in a very strong position to defend you to the regulator arguing that you’re not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment.”   Organisations need to adopt the right behavioural controls, preferably before a breach, so that if the worst should happen they know what the right thing to do is. In Stewart’s experience a data breach requires a multi-disciplinary response that may include some or all of the following disciplines; a security specialist, IT resources, a PR agency, legal advice, credit reporting services, credit file freezes etc., and an organisation should reflect on these requirements so that, in a crisis situation, it isn’t  left floundering.   Stewart Room is a partner at Field Fisher Waterhouse LLP and is the author of three books the most recent titled ‘Butterworths Data Law & Practice (2009). Stewart is participating in a panel discussion as part of Infosecurity Europe’s Keynote Theatre titled ‘Compliance – How To Defend Yourself And Stay Out Of Court’.   A visit to Infosecurity Europe presents those responsible with securing their organisations the opportunity to research key trends and the emerging products to arm against them. With 300+ top infosecurity providers exhibiting from across the globe, it offers the most comprehensive showcase of solutions, products and services in the largest information security exhibition in Europe. Its FREE three day educational programme addresses issues facing Information Security, drawing on the knowledge and experience of nearly 100 leading security experts, industry innovators and speakers from the end-user community who will provide expert analysis, real-life case studies, strategic advice and predictions to ensure attendees have the information needed to protect the operations of their companies - nowhere else can you gain such valuable information from the industry’s leading lights free of charge and all in one event!   For more details on this session, and Infosecurity Europe, visit www.infosec.co.uk. The event takes place at Earls Court, London, from 27th–29th April 2010. For FREE entry and further information about Infosecurity Europe, visit the website and register today to avoid a £20 entrance charge.