The Information Commissioner’s Office recently dropped its investigation into BT’s disclosure of personal information of 500 customers. An employee of BT sent the information to ACS:Law, a law firm which prosecuted illegal file sharing.
Protestors who objected to ACS:Law’s tactics attacked the firm’s computers with a Distributed Denial of Service attack, and later hacked the firm’s computer system. The customer information sent by BT was unencrypted, and was accessed from ACS:Law during the hacking. The customer information was then posted online, and is still accessible through several file-sharing sites.
Claiming that since BT had adequate policies and safeguards in place and the disciplinary action taken by BT against the employee was sufficient, the regulators dropped the investigation. This drew significant criticism from privacy groups like Privacy International. “This is an incredibly dangerous decision for the ICO to have made as it effectively dissolves any pretense that a company is responsible for the actions of its employees at work,” said a representative.
It’s an interesting question: when does an employee’s action become the company’s action?
Employee vs. company responsibility
A corporation is a ‘person’ under the law, but can only act through its employees. In this instance, a BT employee sent customer information outside the firm in an unencrypted email, violating Principle 7 of the Data Protection Act and its prohibition against unauthorised disclosure. Presumably, BT had a policy that covered disclosure of customer data. The data in this instance was sent to ACS:Law reportedly as part of a copyright infringement case. This means that the employee was acting on his company’s behalf, albeit in a way that violated company policy.
Every company is at risk from rogue employees. But can an employee truly be called rogue when fulfilling the will of its employer? If BT authorised the disclosure of the information, should it not be held responsible for its employee’s failure to encrypt the transmission of that information? This is not the case where an employee leaks confidential information for his or her own purposes.
This is a transmission in the normal course of business. Last November, the ICO levied fines against A4e for losing an unencrypted laptop. That was an accident, yet the ICO fined A4e £60,000. It’s difficult to see the rational distinction between that case and this one.
Failure to encrypt
In this case, the wrongdoing wasn’t the disclosure, it was the failure to encrypt. And that is most certainly a company issue. The ICO says that adequate safeguards will protect a company. But can safeguards be adequate when so easily disregarded and circumvented? It’s an issue that often arises: can a company be said to have adequate procedures in the face of a negligent or reckless violation?
Of a certainty, a policy is not enough. A company should not prohibit something without sufficient monitoring to catch policy violations, training – including messaging from senior leaders – to educate employees of what is allowed and disallowed, written procedures for the most common types of activities that implicate the law, and disciplinary action against violators. If a company has all of these things, then and only then should a company be able to escape liability for the negligent acts of its employees.
The need for industry guidance
At a minimum, the ICO should elaborate on its decision to decline: it should identify at what stage of the investigation it was and what procedures specifically BT had that it found adequate, so as to give guidance to other companies. A regulator cannot appear to be arbitrary if it wishes to fulfill its mission. The ICO should display transparency in its investigative decisions. Otherwise, it is susceptible to claims that it is allowing companies to avoid liability for the acts of its employees. And without the ability to attribute to a company the acts of its employees, the ICO will have a hard time justifying future cases.
US companies are subject to the same issues, but in the US, regulators give credit for robust compliance programs. Rarely, if ever, would an investigation be dropped in the manner the ICO did. That said, what the BT employee did would not be a violation in the US, given the differing privacy regimes.
But the compliance aspect, the need for policies, procedures, monitoring, training, and discipline, are the foundations of a strong compliance programme.