When does a regulator pay costs? The Court of Appeal has spoken
The recent hacking of the customer details of 2.4 million customers of Carphone Warehouse provides a stark reminder of the risks of data breaches and the importance of effective data security.
Hackers accessed the names, dates of birth and bank details of Carphone Warehouse’s customers. 90,000 customer credit cards may also have been accessed, albeit this information was thankfully encrypted. Such an attack increases the risk of identity theft for each of the customers affected. In late 2014, having suffered a similar breach, TalkTalk failed to warn its customers promptly leaving them ill-prepared to deal with subsequent fraudulent phone calls from individuals quoting their account numbers and other personal data. In this case, Carphone Warehouse took the responsible step of swiftly contacting affected customers so they could change their passwords, contact their bank and credit card companies and remain vigilant to fraudulent calls in good time.
The impact on Carphone Warehouse cannot be underestimated. If the Information Commissioner’s Office (ICO) finds that Carphone Warehouse has breached the data security requirements of the Data Protection Act 1998, it may take enforcement action, including the imposition of a fine. Although currently limited to £500,000, discussions are taking place within the European Union about whether to increase this fine limit to 5% of a company’s annual turnover (although this is unlikely to affect Carphone Warehouse as its retroactive application is improbable). Separately, affected customers may choose to sue. Most importantly, such an event will have disrupted Carphone Warehouse’s business and undermined the confidence of existing and future customers. This incident will also have caused shareholder concern as it will inevitably leave a dent in the phone company’s future profits.
Data security breaches are not just caused by external attacks upon a business. In the 2015 Information Security Breaches Survey, half of all organisations stated that the worst breaches were caused by inadvertent human error. Reviewing the fines that the ICO has imposed in the past for data security breaches, it is clear that a significant number relate to the inadvertent loss of portable devices.
It is impossible for any business to guarantee the security of the customer data it holds and the Data Protection Act does not require such a guarantee to be provided. However, the legislation does require “appropriate technical and organisational measures” to be taken against unauthorised access or accidental loss. The Money Shop was recently fined £180,000 by the ICO after one server was stolen and another lost in transit. The fine was imposed because the Money Shop failed to take the “appropriate measures” of ensuring that the personal data on its servers was encrypted and they were locked away at night.
What is appropriate for one business will be unsuitable for another. However, the following ten point guide provides a solid starting point for reasonably safeguarding the data held by your business:
This article was first published in Real Business 20.08.15
If you need legal advice in relation to data security or information law, please contact a member of our Data Protection Team.
Skip to content Home About Us Insights Services Contact Accessibility