An interesting article by Tom Lingard and Hannah Ford from Stevens & Bolton on which conditions must be met for information to be regarded as confidential and therefore protected under relevant legislation.  There are three key tests: firstly it must be 'secret' in that it is not generally known; secondly, it must have commercial value because it is secret; and finally it must have appropriate controls in place to keep it secret.

From a technical perspective there are both protective and investigative measures that can be considered to help organisations meet these criteria in respect of their confidential data.  

In respect of protective, this is a classic case of where appropriate data security measures are implemented.  This does not just mean technical measures, but also having appropriate policies, procedures and most importantly training staff on the importance of data security.  It is also important to ensure that the confidential data is protected above and beyond other data, for example: by keeping it in a restricted area of the network with additional security measures and logging applied to it.  This is a topic that needs to be regularly revisited and assessed to ensure that appropriate measures are employed.

From an investigative perspective, it is important that organisations employ controls to help them detect any infringements of their confidential data.  These basically come in two guises:

  1. Proactive controls to monitor and protect the use of the data within the organisation.  This can include device/access restrictions (for example disabling USB ports or access to file sharing websites) as well as scanning of network traffic and device usage (for example, reviewing large email attachments or data uploads) - this is often referred to as Data Loss Protection software.
  2. Reactive controls to investigate specific devices and activity of individuals leaving the organisation to establish whether there are any indications of confidential data being taken.  This can include a multitude of tasks, from a simple document review exercise of outbound emails to a forensic analysis of the machine to see what data was accessed and what the user did with it.  This can often be very revealing!

What is important is that organisations need to treat confidential data as such and deploy appropriate controls if they are going to successfully rely on the legal measures available to them.  If you would like to find out more on this please, feel free to reach out to me.