Data protection hit the headlines again this weekend with Carphone Warehouse’s announcement that it had suffered a significant data security breach. Hackers accessed the personal information of up to 2.4 million customers, including encrypted credit card details of 90,000 of those customers.
Already we are seeing the potential effect that this could have on public trust in Carphone Warehouse, with customers taking to news sites and social media to express their disappointment with the retailer.
Data security breaches of this scale can have drastic effects on an organisation’s reputation. For example, a severe data breach in 2013 led to significant reputational damage for US retailer, Target. Its chief executive was forced to resign and Target’s name is still widely associated with one of the largest data breaches to have occurred.
Damage to reputation is just one side of the coin. Carphone Warehouse could also face a significant financial impact.
With the Information Commissioner’s Office (ICO) investigating the breach, Carphone Warehouse could be fined up to £500,000 and the breach could affect their sales, profit and share price.
Many upset customers are also demanding compensation for the breach. Thanks to the recent case of Google v Vidal-Hall and others, customers who would previously have had to prove financial loss in order to claim compensation could now be compensated for distress alone.
Given the number of customers affected, payouts could amount to large sums of money.
With hackers becoming more and more sophisticated, it is increasingly difficult to prevent cyber-attacks. However, if an organisation has taken appropriate security measures, it will not be liable for a fine even if it suffers a breach.
Possible steps organisations can take include the following options.
First, making sure that all personal information held is encrypted. Encrypted information is much more difficult for hackers to decode and use to their advantage.
Second, putting robust contracts with third-party suppliers in place, which require strict data protection measures. Many data breaches have happened through a third-party supplier.
Third, training all staff in data protection compliance and breach recognition. One expert has speculated that the Carphone Warehouse attack may be down to human error by system administrators. Ensuring that all employees are aware of their data protection obligations can reduce this risk.
Next, implementing tiered access systems so that only employees who need to have access to personal information to perform their job can access and use that information.
Breach management is just as important as breach prevention. Putting in place robust escalation procedures and notifying individuals immediately if their data may have been compromised can help to mitigate the effects of a breach.
These are only some of the steps that organisations can and should be taking. With the new EU Data Protection Regulation and its dramatically increased fines on the horizon, it would be wise to take legal advice and conduct data protection audits to make sure that your organisation is doing all it can to avoid becoming the next headline.
First published by Retail Week on 10 August 2015.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at August 2015. Specific advice should be sought for specific cases. For more information see our terms & conditions.