Out-Law News 3 min. read
20 Jan 2015, 5:06 pm
Tom Leman of Pinsent Masons, the law firm behind Out-Law.com, said every retailer faces growing cyber security threats and that failing to recognise and respond appropriately to the risks could have serious implications for the viability of their business.
"The prospect of a data breach and the outcomes from such incidents are terrifying for both consumers and retailers alike," Leman said. "Where personal information, including rich payment card or bank account information, is compromised there is a very real threat of identity theft and fraud, with knock-on costs and damage to businesses whose data was exposed.
"One particular risk from a data breach incident is the erosion of consumer trust and damage to a business' reputation and brand. However, there is also the risk that retailers will face a growing cost of doing business if the cost of fraud is passed on to them by banks," he said.
Leman was commenting after the UK's data protection watchdog announced that shoe retailer Office had signed legal undertakings (3-page / 75KB PDF) with it to improve some data protection practices after falling victim to a hacking attack.
"Cyber security is sufficiently important to demand the attention of senior managers and board room members in the retail sector," Leman said. "For the chief information officer, they will want to know just how good the security measures deployed by their company are, whilst general counsels need to be confident that they can demonstrate their business did everything it could to protect data and had an effective incident response plan the company acted on in the event of a breach. The Target data breach case in the US highlighted the importance of IT security to retailers as well as the consequences there can be for senior executives and their jobs."
The Information Commissioner's Office (ICO) said the personal information of more than one million consumers was compromised when an old database Office operated was hacked into. The hacker bypassed "several technical measures" to gain access to the database which was left "unencrypted".
Contact information and website passwords were compromised in the attack, but no customer bank details were stored on the database and there is "no evidence" that the compromised data has been "further disclosed or otherwise used", the ICO said.
The compromised Office database was stored on a "legacy server" that was being replaced by a new system during an IT upgrade Office had undertaken. The company elected not to remove "the historic customer data" from the database before the IT changes were implemented because it believed this would "add complexity and a material risk of data mismatches, operation downtime and customer disruption", the ICO said.
The company has, however, admitted that the risks of removing the data were "less than originally thought" in hindsight.
In its signed undertakings, Office has committed to implementing "appropriate" data security measures and will carry out "regular penetration testing" on its websites and servers. The company has also agreed to establish a new data protection policy that specifies the amount of time the company will retain personal information for and how that data will be disposed of, and to provide data protection training to staff.
Data protection law expert Kathryn Wynn of Pinsent Masons said that the ICO "does not expect organisations to stay one step ahead of hackers" but that a sound data retention policy can help businesses to better contain the consequences of a data breach stemming from a cyber attack.
"With data storage now being so cheap, some organisations might take the view that data retention is not a risk area worth addressing; however, the timely destruction of historic data in accordance with company-wide data retention policies and procedures will not only help businesses address compliance issues such as data accuracy but also minimise risks that are inherent with a data security breach," Wynn said.
"In the event of a data breach, the ICO expects organisations to notify the affected individuals, so that the individuals can take steps to protect themselves from any harm caused by the breach," Wynn said. "However, this becomes an impossible task if that organisation is not able to verify the contact details contained within the historic data; the organisation risks facing a further data breach if multiple notifications are sent to old addresses."
Under the Data Protection Act, organisations must take "appropriate technical and organisational measures...against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
The ICO has the power to issue organisations with fines of up to £500,000 for serious breaches of the Data Protection Act. It has previously fined Sony £250,000 over data security failings that were highlighted by a hacking attack, and has also levied civil monetary penalties on other organisations for a breach of the data security requirements under the Act. The ICO has issued guidance to help organisations address IT security issues.