Out-Law / Your Daily Need-To-Know

Damage to brand image following data breach has bigger 'hit' than regulatory fines, admits watchdog

Out-Law News | 23 May 2014 | 4:58 pm | 2 min. read

The reputational damage big businesses can suffer if they fall victim to a data breach impacts on those companies harder than paying a civil monetary penalty, the UK's data protection watchdog has admitted.

Information Commissioner Christopher Graham, who has the power to issue businesses with fines of up to £500,000 for serious breaches of UK data protection laws, told BBC 5 Live's Breakfast programme that the damage to brand image is "the real hit" businesses should fear if customers' information is compromised following a cyber attack.

"[Online data breaches are] going to go on and on and on until businesses wake up and realise that personal information is not their play thing," Graham said. "It's our information, it needs to be protected and the brands that get it wrong will trash their reputation – that's the real threat for the eBay's and the Sony's of this world."

"[Civil monetary penalties are] not the real hit. The real hit is reputation, the real hit is the brand," he said.

Graham was commenting on the data breach incident involving online market place eBay which came to light earlier this week. He explained that the Information Commissioner's Office (ICO) could not immediately launch an investigation into the case without first consulting with other European data protection authorities.

Graham said a decision over whether to take action against eBay would only be taken after a full investigation had been conducted, but he cited the £250,000 fine the ICO served Sony for a data breach previously as an example of the watchdog's willingness to pursue enforcement action against major global businesses if the circumstances merit it.

"We are certainly looking at the situation," Graham said. "We have to work with our colleagues in Luxembourg where eBay is based for European purposes. We were in touch with the Luxembourg data protection authority [on Thursday], but this is on the face a very serious breach."

"But this is early stages of an investigation and we must sure that we get things right and don't get foot faulted and get in trouble with a load of lawyers," he said.

Earlier this week eBay announced that a database containing users' information had been compromised during a hacking attack earlier this year. The company said that the names, encrypted passwords, email addresses, postal addresses, phone numbers and dates of birth of its customers had been compromised in the attack.

The hackers had managed to access the database after hacking into some eBay employee's accounts and accessing the company's corporate network, it said. The attack took place between late February and early March. The company has said that its tests to date have shown that there has been "no unauthorised activity for eBay users, and no evidence of any unauthorised access to financial or credit card information, which is stored separately in encrypted formats". However, it has advised its users to change their passwords for the site.

Asked if he was concerned about the delay between the breach and the company notifying customers about it, Christopher Graham said the company would be asked to explain that matter if an investigation is launched.

"Who knew what when; what did they do about it; what steps did they take to alert their customers; did they make the report to the authorities at the right point – that's the start of the investigation," Graham said.

The Information Commissioner said he was worried that both individuals and businesses are "not sufficiently alert to what is going on in the 21st century".

"Cyber crime is real. Hacking is real. Watch out, there's a data thief about," Graham said. "The personal information that is there online – practically everything we do, social, business, work, buying stuff, holidays – the data imprint is huge and none of us are taking this seriously enough. None of us are as good as we should we about passwords, [from] changing passwords regularly, [to setting] credible, hard passwords ... and companies aren't taking this seriously enough and they should be."

US authorities in Illinois, Florida, and Connecticut have already launched an investigation into the eBay data breach, according to a report by Reuters.