In recent years data security law has undergone root-and-branch reform. The principal focus of this has been the introduction of transparency mechanisms for security breaches or data loss, and tougher sanctions.

Broadly speaking data security risk means four things: threats associated with people; malevolent threats to IT systems; risks from inadequate technologies; and risks from inadequate procedures.

People risk comes from human contact with data, and the computer and communications systems that process data. A common example is ‘fat fingers’ -  pressing button A rather than button B and sending an email to the wrong person. Human interaction with data and systems means that failure is inevitable from time to time. That’s why international standards for best practice in security (such as the ISO 27000 series) include controls designed to reduce the risk of human error. The statutory requirements on controllers under data protection legislation to ensure the reliability of their employees (principle 7 in the UK Data Protection Act) addresses the same point.

Malevolent threats to IT systems can include human factors (such as the rogue employee) but more commonly refers to things like malware (viruses, worms etc.), zero-day attacks, botnets and ‘social-engineering’ attacks such as phishing and pharming. These threats are usually difficult to identify and often go undetected. A zero-day attack is particularly pernicious because it targets and exploits previously unknown security flaws.

In contrast, threats associated with inadequate technologies should be avoidable. If a company doesn’t have a patching policy for implementing updates to systems, if it fails to replace unsupported software with new applications, or it it fails to install basic mandatory controls such as encryption, firewalls and anti-virus protection, then it will be at heightened risk of a security failure.

Inadequate processes arise from the failure to implement suitable documented rules for data security, or to follow them operationally. Security policies should set out an organisation’s high level approach to security (e.g. ‘we will ensure the security of confidential data in transit’), underpinned by associated controls (‘we will encrypt all back-up tapes that are transported between our offices’) and operating procedures (‘encrypted back-up tapes will be tracked throughout the entirety of their journey between offices’). If an organisation fails to implement adequate processes, a failure of security will be inevitable at some point. This is also the case if the organisation fails to follow its rules operationally.

There is no bright-line test to determine whether a security breach falls within one category or another. In practice breaches often result from multiple sources of failure. So for example an organisation that falls victim to a distributed botnet attack might be guilty of having inadequate processes and inadequate technologies. They key point is that an organisation which considers itself the ‘victim’ of a security breach will usually find that it carries responsibility for the consequences.