28th February 2018
Walker Morris’ Regulatory specialist Jeanette Burgess provides an update, and offers her practical advice, on live data protection and cybersecurity risks.
Data protection and cyber security continue to hit the headlines.
Last month the Information Commissioner’s Office (ICO) issued one of its largest ever fines to Carphone Warehouse – £400,000 – after the company’s failure to secure its computer system allowed hackers, in 2015, to access the personal data of over 3 million customers and 1,000 employees.
In November 2017 the ICO voiced “huge concerns” over the fact that hackers had accessed Uber’s user data (including the names and driver’s licence numbers of around 600,000 drivers in the United States, and names, e-mail addresses and mobile phone numbers of 57 million users around the world) a year earlier, and that Uber had failed to report the incident to regulators or those affected by the breach. The ICO’s Deputy Commission (Operations) said that “Deliberately concealing breaches from regulators and citizens could attract higher fines for companies”.
In September 2017 news broke of a massive cyber attack affecting US credit rating firm Equifax. The ICO’s investigation into that breach, and its impact on the data of potentially 44 million businesses and consumers within the UK, is ongoing.
This all follows the £400,000 fine issued to TalkTalk by the ICO in 2016 for security failings which allowed a 17 year old boy showing off to his friends to access customer data, and Tesco Bank paying out £2.5 million to 9,000 customers who had money stolen from their accounts following cyber security breach also in that year.
Retailers, and retail finance firms, are clearly at real risk of being targeted by hackers. Information Commission Elizabeth Denham’s recent comments on the Carphone Warehouse breach strike a chord:
“A company as large, well-resourced and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks. Carphone Warehouse should be at the top of its game when it comes to cyber security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
With the coming into force of the new General Data Protection Regulation (GDPR) on 25 May, the law will become even more stringent than ever before. All retailers and consumer finance businesses need to ensure that they have sufficiently secure systems and processes in place, both to comply with GDPR requirements and to withstand the challenges posed by the increasingly prevalent threat of a cyber attack.
The ICO has published helpful guidance, including its Guide to the GDPR, 12 steps to take now and various toolkits; and the National Cyber Security Centre offers useful guidance on the steps organisations can take to protect themselves.
Walker Morris has also published client briefings which highlight advice for businesses in the final run-up to ‘GDPR-day’ [1], and explain the practical steps that we can help you to take so that your business can positively and proactively meet its data security challenges [2].
For further advice or information, please do not hesitate to contact Jeanette Burgess.
____________________
[1] See our GDPR briefing for retailers and our GDPR briefing for retail lenders.
[2] See our briefings on Cybercrime, fraud and protecting your position and Tips to improve your cybersecurity and protect personal data.