Hackers accessed the names, dates of birth and bank details of Carphone Warehouses customers. Some 90,000 customer credit cards may also have been accessed, albeit this information was thankfully encrypted. Such an attack increases the risk of identity theft for each of the customers affected.
In late 2014, having suffered a similar breach, TalkTalk failed to warn its customers promptly. This left them ill-prepared to deal with subsequent fraudulent phone calls from individuals quoting their account numbers and other personal data. In the case of Carphone Warehouse, the company took the responsible step of swiftly contacting affected customers so they could change their passwords, contact their banks and credit card companies and remain vigilant to fraudulent calls in good time.
The impact on Carphone Warehouse cannot be underestimated. If the Information Commissioners Office (ICO) finds that Carphone Warehouse has breached the data security requirements of the Data Protection Act 1998, it may take enforcement action, including the imposition of a fine.
Although currently limited to 500,000, discussions are taking place within the European Union about whether to increase this fine limit to five per cent of a companys annual turnover (although this is unlikely to affect Carphone Warehouse as its retroactive application is improbable). Separately, affected customers may choose to sue. Most importantly, such an event will have disrupted Carphone Warehouses business and undermined the confidence of existing and future customers. This incident will also have caused shareholder concern as it will inevitably leave a dent in the phone companys future profits.
Data security breaches are not just caused by external attacks upon a business. In PwC’s 2015 “Information Security Breaches Survey“, half of all organisations stated that the worst breaches were caused by inadvertent human error. Reviewing the fines that the ICO has imposed in the past for data security breaches, it is clear that a significant number relate to the inadvertent loss of portable devices.
Read more about the security debate:
- Government to unite 50 young British cyber security experts from 13 UK universities
- Cyber security: What employers need to know
- Wearable technology threatens security of UK businesses
It is impossible for any business to guarantee the security of the customer data it holds and the Data Protection Act does not require such a guarantee to be provided. However, the legislation does require appropriate technical and organisational measures to be taken against unauthorised access or accidental loss.
The Money Shop was recently fined 180,000 by the ICO after one server was stolen and another was lost in transit. The fine was imposed because the Money Shop failed to take the appropriate measures of ensuring the personal data on its servers was encrypted and were locked away at night.
What is appropriate for one business will be unsuitable for another. However, the following ten point guide provides a solid starting point for reasonably safeguarding the data held by your business:
(1) Conduct (or refresh) a risk assessment and design your security systems with reference to the data you hold and the harm that may result from a security breach. Bank details must always be treated with specific care.
(2) Make data security a board level responsibility. Identify individuals responsible for designing and implementing appropriate measures.
(3) Put in place appropriate technical security measures to protect your electronic systems and ensure they remain up to date. This will include firewalls, malware protection, encryption, passwords, managing user privileges and constant monitoring.
(4) Put in place appropriate physical security measures. This will include controlling access to equipment on the premises, maintaining control over mobile and home working, and securely disposing of soft and hard copy material, as well as equipment.
(5) Design and implement robust policies and procedures with respect to data handling.
(6) Ensure that every individual in the business is trained on these policies and procedures and this training is regularly updated. Build a culture of security awareness in your business.
(7) Ensure that any third parties which process data on your behalf are also subject to appropriate security measures (and confirm this in your contract). Consider the arrangements you have in place with data which is stored or processed in the cloud.
(8) Reduce the risks by minimising the data you hold. Securely delete or archive customer data from your computer systems which is no longer needed.
(9) Be ready to identify and respond quickly and effectively to data security breaches. Delay will only increase potential damage to your customers and your business.
(10) Maintain a record of data security risks and breaches. Review this regularly and amend your security measures accordingly.
Emily Carter is a partner in Kingsley Napleys public law department.