In their article on data security protection Helen Clarke and Melissa Burrill (Corrs Chambers Westgarth) set out an admirable approach to legal protections for data security. However, their advice breaks the first rule of data security – if you don’t control it, you can’t secure it. Fundamentally, businesses need to hold their secure information close, or have active measures to secure it, if they are to avoid data security breaches. In the end, the threat of legal sanction will not stop criminal action by third parties.
The chart below shows the most high-profile data security breaches for 2012. Clearly, the breaches do not reflect the strength of potential legal action or the drafting of data protection clauses. No amount of due diligence would have assisted these companies’ clients as the breaches were not due to lax security procedures.
Contracts and legal sanction are only useful to deliver damages and enforce restitution to cover immediate financial losses. They will not cover loss to brand equity or market share.
The only way to truly secure information is to manage it in-house. If businesses wish to manage secret or confidential data in a cloud then they should store it encrypted and hold the keys themselves. Alternatively, they can link databases and hold unencrypted information in the cloud but the actual names of clients can be held locally.
If businesses wish to remain wilfully blind (or take calculated risks) and outsource the storage of secret information then they should think about building in operational sanctions such as the moving, encrypting or the realignment of data against accounts to ensure their is no monetary loss for clients.